Add NetworkService interfaces to set the SSLConfig.

And make SSLConfigServiceMonitor use them.

BUG: 755309
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: I72f16fdd74eecf2a9b565895fc97d90654384b16
Reviewed-on: https://chromium-review.googlesource.com/1022691
Commit-Queue: Matt Menke <mmenke@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Bernhard Bauer <bauerb@chromium.org>
Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#560355}

chrome/browser/browsing_data/browsing_data_channel_id_helper_unittest.cc

@@ -28,11 +28,17 @@ class BrowsingDataChannelIDHelperTest
   void SetUp() override {
     testing_profile_.reset(new TestingProfile());
 
-    testing_profile_->GetSSLConfigService()->AddObserver(this);
+    testing_profile_->GetRequestContext()
+        ->GetURLRequestContext()
+        ->ssl_config_service()
+        ->AddObserver(this);
   }
 
   void TearDown() override {
-    testing_profile_->GetSSLConfigService()->RemoveObserver(this);
+    testing_profile_->GetRequestContext()
+        ->GetURLRequestContext()
+        ->ssl_config_service()
+        ->RemoveObserver(this);
   }
 
   void CreateChannelIDsForTest() {

chrome/browser/io_thread.cc

@@ -363,10 +363,6 @@ IOThread::IOThread(
       nullptr,
       nullptr,
       local_state);
-  ssl_config_service_manager_.reset(
-      SSLConfigServiceManager::CreateDefaultManager(
-          local_state,
-          BrowserThread::GetTaskRunnerForThread(BrowserThread::IO)));
 
   local_state->SetDefaultPrefValue(prefs::kBuiltInDnsClientEnabled,
                                    base::Value(ShouldEnableAsyncDns()));
@@ -663,10 +659,6 @@ void IOThread::DisableQuic() {
   globals_->quic_disabled = true;
 }
 
-net::SSLConfigService* IOThread::GetSSLConfigService() {
-  return ssl_config_service_manager_->Get();
-}
-
 void IOThread::ChangedToOnTheRecordOnIOThread() {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
 
@@ -720,7 +712,6 @@ void IOThread::ConstructSystemRequestContext() {
   std::unique_ptr<net::HostResolver> host_resolver(
       CreateGlobalHostResolver(net_log_));
 
-  builder->set_ssl_config_service(GetSSLConfigService());
   builder->SetHttpAuthHandlerFactory(
       CreateDefaultAuthHandlerFactory(host_resolver.get()));
 

chrome/browser/io_thread.h

@@ -23,7 +23,6 @@
 #include "build/build_config.h"
 #include "chrome/browser/net/chrome_network_delegate.h"
 #include "chrome/browser/net/system_network_context_manager.h"
-#include "chrome/browser/ssl/ssl_config_service_manager.h"
 #include "chrome/common/buildflags.h"
 #include "components/metrics/data_use_tracker.h"
 #include "components/prefs/pref_member.h"
@@ -67,7 +66,6 @@ class HttpAuthHandlerFactory;
 class HttpAuthPreferences;
 class NetworkQualityEstimator;
 class RTTAndThroughputEstimatesObserver;
-class SSLConfigService;
 class URLRequestContext;
 class URLRequestContextGetter;
 }  // namespace net
@@ -199,9 +197,6 @@ class IOThread : public content::BrowserThreadDelegate {
   std::unique_ptr<net::HttpAuthHandlerFactory> CreateDefaultAuthHandlerFactory(
       net::HostResolver* host_resolver);
 
-  // Returns an SSLConfigService instance.
-  net::SSLConfigService* GetSSLConfigService();
-
   void ChangedToOnTheRecordOnIOThread();
 
   void UpdateDnsClientEnabled();
@@ -282,10 +277,6 @@ class IOThread : public content::BrowserThreadDelegate {
   network::mojom::NetworkContextRequest network_context_request_;
   network::mojom::NetworkContextParamsPtr network_context_params_;
 
-  // This is an instance of the default SSLConfigServiceManager for the current
-  // platform and it gets SSL preferences from local_state object.
-  std::unique_ptr<SSLConfigServiceManager> ssl_config_service_manager_;
-
   scoped_refptr<net::URLRequestContextGetter>
       system_url_request_context_getter_;
 

chrome/browser/net/default_network_context_params.cc

@@ -13,6 +13,7 @@
 #include "build/build_config.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/net/chrome_mojo_proxy_resolver_factory.h"
+#include "chrome/browser/net/system_network_context_manager.h"
 #include "chrome/common/channel_info.h"
 #include "chrome/common/chrome_content_client.h"
 #include "chrome/common/chrome_switches.h"
@@ -70,6 +71,13 @@ network::mojom::NetworkContextParamsPtr CreateDefaultNetworkContextParams() {
   network_context_params->dangerously_allow_pac_access_to_secure_urls =
       !local_state->GetBoolean(prefs::kPacHttpsUrlStrippingEnabled);
 
+  // Use the SystemNetworkContextManager to populate and update SSL
+  // configuration. The SystemNetworkContextManager is owned by the
+  // BrowserProcess itself, so will only be destroyed on shutdown, at which
+  // point, all NetworkContexts will be destroyed as well.
+  g_browser_process->system_network_context_manager()
+      ->AddSSLConfigToNetworkContextParams(network_context_params.get());
+
 #if !defined(OS_ANDROID)
   // CT is only enabled on Desktop platforms for now.
   network_context_params->enforce_chrome_ct_policy = true;

chrome/browser/net/network_context_configuration_browsertest.cc

@@ -47,6 +47,8 @@
 #include "net/base/net_errors.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/http/http_response_headers.h"
+#include "net/ssl/ssl_config.h"
+#include "net/ssl/ssl_server_config.h"
 #include "net/test/embedded_test_server/controllable_http_response.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 #include "net/test/embedded_test_server/embedded_test_server_connection_listener.h"
@@ -738,6 +740,90 @@ IN_PROC_BROWSER_TEST_P(NetworkContextConfigurationBrowserTest, Hsts) {
 
 #endif  // !defined(OS_MACOSX)
 
+// Check that the SSLConfig is hooked up. PRE_SSLConfig checks that changing
+// local_state() after start modifies the SSLConfig, SSLConfig makes sure the
+// (now modified) initial value of local_state() is respected.
+IN_PROC_BROWSER_TEST_P(NetworkContextConfigurationBrowserTest, PRE_SSLConfig) {
+  // Start a TLS 1.0 server.
+  net::EmbeddedTestServer ssl_server(net::EmbeddedTestServer::TYPE_HTTPS);
+  net::SSLServerConfig ssl_config;
+  ssl_config.version_min = net::SSL_PROTOCOL_VERSION_TLS1;
+  ssl_config.version_max = net::SSL_PROTOCOL_VERSION_TLS1;
+  ssl_server.SetSSLConfig(net::EmbeddedTestServer::CERT_OK, ssl_config);
+  ssl_server.AddDefaultHandlers(
+      base::FilePath(FILE_PATH_LITERAL("chrome/test/data")));
+  ASSERT_TRUE(ssl_server.Start());
+
+  std::unique_ptr<network::ResourceRequest> request =
+      std::make_unique<network::ResourceRequest>();
+  request->url = ssl_server.GetURL("/echo");
+  content::SimpleURLLoaderTestHelper simple_loader_helper;
+  std::unique_ptr<network::SimpleURLLoader> simple_loader =
+      network::SimpleURLLoader::Create(std::move(request),
+                                       TRAFFIC_ANNOTATION_FOR_TESTS);
+  simple_loader->DownloadToStringOfUnboundedSizeUntilCrashAndDie(
+      loader_factory(), simple_loader_helper.GetCallback());
+  simple_loader_helper.WaitForCallback();
+#if defined(OS_MACOSX)
+  // TODO(https://crbug.com/757088):  Test certs don't work on OSX, with the
+  // network service.
+  if (GetParam().network_service_state != NetworkServiceState::kDisabled) {
+    EXPECT_FALSE(simple_loader_helper.response_body());
+  } else {
+    ASSERT_TRUE(simple_loader_helper.response_body());
+    EXPECT_EQ(*simple_loader_helper.response_body(), "Echo");
+  }
+#else
+  ASSERT_TRUE(simple_loader_helper.response_body());
+  EXPECT_EQ(*simple_loader_helper.response_body(), "Echo");
+#endif
+
+  // Disallow TLS 1.0 via prefs.
+  g_browser_process->local_state()->SetString(prefs::kSSLVersionMin,
+                                              switches::kSSLVersionTLSv11);
+  // Flush the changes to the network process, to avoid a race between updating
+  // the config and the next request.
+  g_browser_process->system_network_context_manager()
+      ->FlushSSLConfigManagerForTesting();
+
+  // With the new prefs, requests to the server should be blocked.
+  request = std::make_unique<network::ResourceRequest>();
+  request->url = ssl_server.GetURL("/echo");
+  content::SimpleURLLoaderTestHelper simple_loader_helper2;
+  simple_loader = network::SimpleURLLoader::Create(
+      std::move(request), TRAFFIC_ANNOTATION_FOR_TESTS);
+  simple_loader->DownloadToStringOfUnboundedSizeUntilCrashAndDie(
+      loader_factory(), simple_loader_helper2.GetCallback());
+  simple_loader_helper2.WaitForCallback();
+  EXPECT_FALSE(simple_loader_helper2.response_body());
+  EXPECT_EQ(net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH, simple_loader->NetError());
+}
+
+IN_PROC_BROWSER_TEST_P(NetworkContextConfigurationBrowserTest, SSLConfig) {
+  // Start a TLS 1.0 server.
+  net::EmbeddedTestServer ssl_server(net::EmbeddedTestServer::TYPE_HTTPS);
+  net::SSLServerConfig ssl_config;
+  ssl_config.version_min = net::SSL_PROTOCOL_VERSION_TLS1;
+  ssl_config.version_max = net::SSL_PROTOCOL_VERSION_TLS1;
+  ssl_server.SetSSLConfig(net::EmbeddedTestServer::CERT_OK, ssl_config);
+  ASSERT_TRUE(ssl_server.Start());
+
+  // Making a request should fail, since PRE_SSLConfig saved a pref to disallow
+  // TLS 1.0.
+  std::unique_ptr<network::ResourceRequest> request =
+      std::make_unique<network::ResourceRequest>();
+  request->url = ssl_server.GetURL("/echo");
+  content::SimpleURLLoaderTestHelper simple_loader_helper;
+  std::unique_ptr<network::SimpleURLLoader> simple_loader =
+      network::SimpleURLLoader::Create(std::move(request),
+                                       TRAFFIC_ANNOTATION_FOR_TESTS);
+  simple_loader->DownloadToStringOfUnboundedSizeUntilCrashAndDie(
+      loader_factory(), simple_loader_helper.GetCallback());
+  simple_loader_helper.WaitForCallback();
+  EXPECT_FALSE(simple_loader_helper.response_body());
+  EXPECT_EQ(net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH, simple_loader->NetError());
+}
+
 IN_PROC_BROWSER_TEST_P(NetworkContextConfigurationBrowserTest, ProxyConfig) {
   SetProxyPref(embedded_test_server()->host_port_pair());
   TestProxyConfigured(/*expect_success=*/true);

chrome/browser/net/system_network_context_manager.cc

@@ -16,6 +16,8 @@
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/io_thread.h"
 #include "chrome/browser/net/default_network_context_params.h"
+#include "chrome/browser/safe_browsing/safe_browsing_service.h"
+#include "chrome/browser/ssl/ssl_config_service_manager.h"
 #include "components/policy/core/common/policy_namespace.h"
 #include "components/policy/core/common/policy_service.h"
 #include "components/policy/policy_constants.h"
@@ -153,7 +155,9 @@ void SystemNetworkContextManager::SetUp(
   *is_quic_allowed = is_quic_allowed_;
 }
 
-SystemNetworkContextManager::SystemNetworkContextManager() {
+SystemNetworkContextManager::SystemNetworkContextManager()
+    : ssl_config_service_manager_(SSLConfigServiceManager::CreateDefaultManager(
+          g_browser_process->local_state())) {
   const base::Value* value =
       g_browser_process->policy_service()
           ->GetPolicies(policy::PolicyNamespace(policy::POLICY_DOMAIN_CHROME,
@@ -187,6 +191,16 @@ void SystemNetworkContextManager::DisableQuic() {
       base::BindOnce(&DisableQuicOnIOThread, io_thread));
 }
 
+void SystemNetworkContextManager::AddSSLConfigToNetworkContextParams(
+    network::mojom::NetworkContextParams* network_context_params) {
+  ssl_config_service_manager_->AddToNetworkContextParams(
+      network_context_params);
+}
+
+void SystemNetworkContextManager::FlushSSLConfigManagerForTesting() {
+  ssl_config_service_manager_->FlushForTesting();
+}
+
 void SystemNetworkContextManager::FlushProxyConfigMonitorForTesting() {
   proxy_config_monitor_.FlushForTesting();
 }

chrome/browser/net/system_network_context_manager.h

@@ -11,8 +11,9 @@
 #include "base/memory/ref_counted.h"
 #include "chrome/browser/net/proxy_config_monitor.h"
 #include "services/network/public/mojom/network_service.mojom.h"
+#include "services/network/public/mojom/ssl_config.mojom.h"
 
-class ProxyConfigMonitor;
+class SSLConfigServiceManager;
 
 namespace network {
 namespace mojom {
@@ -75,8 +76,23 @@ class SystemNetworkContextManager {
   // NetworkService, and for those using the network service (if enabled).
   void DisableQuic();
 
+  // Returns an SSLConfigClientRequest that can be passed as a
+  // NetorkContextParam.
+  network::mojom::SSLConfigClientRequest GetSSLConfigClientRequest();
+
+  // Populates |initial_ssl_config| and |ssl_config_client_request| members of
+  // |network_context_params|. As long as the SystemNetworkContextManager
+  // exists, any NetworkContext created with the params will continue to get
+  // SSL configuration updates.
+  void AddSSLConfigToNetworkContextParams(
+      network::mojom::NetworkContextParams* network_context_params);
+
+  // Flushes all pending SSL configuration changes.
+  void FlushSSLConfigManagerForTesting();
+
   // Flushes all pending proxy configuration changes.
   void FlushProxyConfigMonitorForTesting();
+
   // Call |FlushForTesting()| on Network Service related interfaces. For test
   // use only.
   void FlushNetworkInterfaceForTesting();
@@ -88,6 +104,11 @@ class SystemNetworkContextManager {
   // it initializes some class members.
   network::mojom::NetworkContextParamsPtr CreateNetworkContextParams();
 
+  // This is an instance of the default SSLConfigServiceManager for the current
+  // platform and it gets SSL preferences from the BrowserProcess's local_state
+  // object. It's shared with other NetworkContexts.
+  std::unique_ptr<SSLConfigServiceManager> ssl_config_service_manager_;
+
   ProxyConfigMonitor proxy_config_monitor_;
 
   // NetworkContext using the network service, if the network service is

chrome/browser/prefs/chrome_command_line_pref_store_ssl_manager_unittest.cc

@@ -5,7 +5,6 @@
 #include "base/command_line.h"
 #include "base/memory/ref_counted.h"
 #include "base/message_loop/message_loop.h"
-#include "base/threading/thread_task_runner_handle.h"
 #include "chrome/browser/prefs/chrome_command_line_pref_store.h"
 #include "chrome/browser/ssl/ssl_config_service_manager.h"
 #include "chrome/common/chrome_switches.h"
@@ -14,13 +13,10 @@
 #include "components/prefs/pref_service.h"
 #include "components/prefs/testing_pref_store.h"
 #include "components/sync_preferences/pref_service_mock_factory.h"
-#include "net/ssl/ssl_config.h"
-#include "net/ssl/ssl_config_service.h"
+#include "services/network/public/mojom/network_service.mojom.h"
+#include "services/network/public/mojom/ssl_config.mojom.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
-using net::SSLConfig;
-using net::SSLConfigService;
-
 class CommandLinePrefStoreSSLManagerTest : public testing::Test {
  public:
   CommandLinePrefStoreSSLManagerTest() {}
@@ -46,20 +42,19 @@ TEST_F(CommandLinePrefStoreSSLManagerTest, CommandLinePrefs) {
   std::unique_ptr<PrefService> local_state(factory.Create(registry.get()));
 
   SSLConfigServiceManager::RegisterPrefs(registry.get());
-
+  network::mojom::NetworkContextParamsPtr context_params =
+      network::mojom::NetworkContextParams::New();
   std::unique_ptr<SSLConfigServiceManager> config_manager(
-      SSLConfigServiceManager::CreateDefaultManager(
-          local_state.get(), base::ThreadTaskRunnerHandle::Get()));
-  ASSERT_TRUE(config_manager.get());
-  scoped_refptr<SSLConfigService> config_service(config_manager->Get());
-  ASSERT_TRUE(config_service.get());
-
-  SSLConfig ssl_config;
-  config_service->GetSSLConfig(&ssl_config);
+      SSLConfigServiceManager::CreateDefaultManager(local_state.get()));
+  config_manager->AddToNetworkContextParams(context_params.get());
+
   // Command-line flags should be respected.
-  EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1_1, ssl_config.version_min);
-  EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1_3, ssl_config.version_max);
-  EXPECT_EQ(net::kTLS13VariantDraft23, ssl_config.tls13_variant);
+  EXPECT_EQ(network::mojom::SSLVersion::kTLS11,
+            context_params->initial_ssl_config->version_min);
+  EXPECT_EQ(network::mojom::SSLVersion::kTLS13,
+            context_params->initial_ssl_config->version_max);
+  EXPECT_EQ(network::mojom::TLS13Variant::kDraft23,
+            context_params->initial_ssl_config->tls13_variant);
 
   // Explicitly double-check the settings are not in the preference store.
   const PrefService::Preference* version_min_pref =
@@ -101,18 +96,17 @@ TEST_F(CommandLinePrefStoreSSLManagerTest, TLS13VariantEnabled) {
 
   SSLConfigServiceManager::RegisterPrefs(registry.get());
 
+  network::mojom::NetworkContextParamsPtr context_params =
+      network::mojom::NetworkContextParams::New();
   std::unique_ptr<SSLConfigServiceManager> config_manager(
-      SSLConfigServiceManager::CreateDefaultManager(
-          local_state.get(), base::ThreadTaskRunnerHandle::Get()));
-  ASSERT_TRUE(config_manager.get());
-  scoped_refptr<SSLConfigService> config_service(config_manager->Get());
-  ASSERT_TRUE(config_service.get());
-
-  SSLConfig ssl_config;
-  config_service->GetSSLConfig(&ssl_config);
+      SSLConfigServiceManager::CreateDefaultManager(local_state.get()));
+  config_manager->AddToNetworkContextParams(context_params.get());
+
   // Command-line flags should be respected.
-  EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1_3, ssl_config.version_max);
-  EXPECT_EQ(net::kTLS13VariantDraft23, ssl_config.tls13_variant);
+  EXPECT_EQ(network::mojom::SSLVersion::kTLS13,
+            context_params->initial_ssl_config->version_max);
+  EXPECT_EQ(network::mojom::TLS13Variant::kDraft23,
+            context_params->initial_ssl_config->tls13_variant);
 }
 
 // Test that setting a disabled TLS 1.3 variant correctly sets SSLVersionMax.
@@ -132,15 +126,13 @@ TEST_F(CommandLinePrefStoreSSLManagerTest, TLS13VariantDisabled) {
 
   SSLConfigServiceManager::RegisterPrefs(registry.get());
 
+  network::mojom::NetworkContextParamsPtr context_params =
+      network::mojom::NetworkContextParams::New();
   std::unique_ptr<SSLConfigServiceManager> config_manager(
-      SSLConfigServiceManager::CreateDefaultManager(
-          local_state.get(), base::ThreadTaskRunnerHandle::Get()));
-  ASSERT_TRUE(config_manager.get());
-  scoped_refptr<SSLConfigService> config_service(config_manager->Get());
-  ASSERT_TRUE(config_service.get());
-
-  SSLConfig ssl_config;
-  config_service->GetSSLConfig(&ssl_config);
+      SSLConfigServiceManager::CreateDefaultManager(local_state.get()));
+  config_manager->AddToNetworkContextParams(context_params.get());
+
   // Command-line flags should be respected.
-  EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1_2, ssl_config.version_max);
+  EXPECT_EQ(network::mojom::SSLVersion::kTLS12,
+            context_params->initial_ssl_config->version_max);
 }

chrome/browser/profiles/off_the_record_profile_impl.cc

@@ -401,10 +401,6 @@ content::ResourceContext* OffTheRecordProfileImpl::GetResourceContext() {
   return io_data_->GetResourceContext();
 }
 
-net::SSLConfigService* OffTheRecordProfileImpl::GetSSLConfigService() {
-  return profile_->GetSSLConfigService();
-}
-
 content::BrowserPluginGuestManager* OffTheRecordProfileImpl::GetGuestManager() {
 #if BUILDFLAG(ENABLE_EXTENSIONS)
   return guest_view::GuestViewManager::FromBrowserContext(this);

chrome/browser/profiles/off_the_record_profile_impl.h

@@ -70,7 +70,6 @@ class OffTheRecordProfileImpl : public Profile {
       const base::FilePath& partition_path,
       bool in_memory) override;
   void RegisterInProcessServices(StaticServiceMap* services) override;
-  net::SSLConfigService* GetSSLConfigService() override;
   bool IsSameProfile(Profile* profile) override;
   base::Time GetStartTime() const override;
   base::FilePath last_selected_directory() override;

chrome/browser/profiles/profile.h

@@ -39,10 +39,6 @@ namespace content {
 class WebUI;
 }
 
-namespace net {
-class SSLConfigService;
-}
-
 namespace user_prefs {
 class PrefRegistrySyncable;
 }
@@ -204,9 +200,6 @@ class Profile : public content::BrowserContext {
   // is only used for a separate cookie store currently.
   virtual net::URLRequestContextGetter* GetRequestContextForExtensions() = 0;
 
-  // Returns the SSLConfigService for this profile.
-  virtual net::SSLConfigService* GetSSLConfigService() = 0;
-
   // Return whether 2 profiles are the same. 2 profiles are the same if they
   // represent the same profile. This can happen if there is pointer equality
   // or if one profile is the incognito version of another profile (or vice

chrome/browser/profiles/profile_impl.cc

@@ -84,7 +84,6 @@
 #include "chrome/browser/signin/signin_ui_util.h"
 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate_factory.h"
-#include "chrome/browser/ssl/ssl_config_service_manager.h"
 #include "chrome/browser/ui/startup/startup_browser_creator.h"
 #include "chrome/browser/ui/webui/prefs_internals_source.h"
 #include "chrome/common/buildflags.h"
@@ -607,12 +606,6 @@ void ProfileImpl::DoFinalInit() {
   UpdateIsEphemeralInStorage();
   GAIAInfoUpdateServiceFactory::GetForProfile(this);
 
-  PrefService* local_state = g_browser_process->local_state();
-  ssl_config_service_manager_.reset(
-      SSLConfigServiceManager::CreateDefaultManager(
-          local_state,
-          BrowserThread::GetTaskRunnerForThread(BrowserThread::IO)));
-
 #if BUILDFLAG(ENABLE_BACKGROUND_MODE)
   // Initialize the BackgroundModeManager - this has to be done here before
   // InitExtensions() is called because it relies on receiving notifications
@@ -643,6 +636,7 @@ void ProfileImpl::DoFinalInit() {
   // Make sure we initialize the ProfileIOData after everything else has been
   // initialized that we might be reading from the IO thread.
 
+  PrefService* local_state = g_browser_process->local_state();
   io_data_.Init(media_cache_path, media_cache_max_size, extensions_cookie_path,
                 GetPath(), predictor_, GetSpecialStoragePolicy(),
                 reporting_permissions_checker_factory_.CreateChecker(),
@@ -1029,17 +1023,6 @@ net::URLRequestContextGetter* ProfileImpl::GetRequestContextForExtensions() {
   return io_data_.GetExtensionsRequestContextGetter().get();
 }
 
-net::SSLConfigService* ProfileImpl::GetSSLConfigService() {
-  // If ssl_config_service_manager_ is null, this typically means that some
-  // KeyedService is trying to create a RequestContext at startup,
-  // but SSLConfigServiceManager is not initialized until DoFinalInit() which is
-  // invoked after all KeyedServices have been initialized (see
-  // http://crbug.com/171406).
-  DCHECK(ssl_config_service_manager_)
-      << "SSLConfigServiceManager is not initialized yet";
-  return ssl_config_service_manager_->Get();
-}
-
 content::BrowserPluginGuestManager* ProfileImpl::GetGuestManager() {
 #if BUILDFLAG(ENABLE_EXTENSIONS)
   return guest_view::GuestViewManager::FromBrowserContext(this);

chrome/browser/profiles/profile_impl.h

@@ -31,7 +31,6 @@
 
 class MediaDeviceIDSalt;
 class PrefService;
-class SSLConfigServiceManager;
 
 #if defined(OS_CHROMEOS)
 namespace chromeos {
@@ -131,7 +130,6 @@ class ProfileImpl : public Profile {
   PrefService* GetReadOnlyOffTheRecordPrefs() override;
   net::URLRequestContextGetter* GetRequestContext() override;
   net::URLRequestContextGetter* GetRequestContextForExtensions() override;
-  net::SSLConfigService* GetSSLConfigService() override;
   bool IsSameProfile(Profile* profile) override;
   base::Time GetStartTime() const override;
   base::FilePath last_selected_directory() override;
@@ -240,7 +238,6 @@ class ProfileImpl : public Profile {
   scoped_refptr<ExtensionSpecialStoragePolicy>
       extension_special_storage_policy_;
 #endif
-  std::unique_ptr<SSLConfigServiceManager> ssl_config_service_manager_;
 
   // Exit type the last time the profile was opened. This is set only once from
   // prefs.

chrome/browser/profiles/profile_io_data.cc

@@ -431,7 +431,6 @@ void ProfileIOData::InitializeOnUIThread(Profile* profile) {
   params->cookie_settings = CookieSettingsFactory::GetForProfile(profile);
   params->host_content_settings_map =
       HostContentSettingsMapFactory::GetForProfile(profile);
-  params->ssl_config_service = profile->GetSSLConfigService();
 
 #if BUILDFLAG(ENABLE_EXTENSIONS)
   params->extension_info_map =
@@ -1049,8 +1048,6 @@ void ProfileIOData::Init(
   std::unique_ptr<network::URLRequestContextBuilderMojo> builder =
       std::make_unique<network::URLRequestContextBuilderMojo>();
 
-  builder->set_ssl_config_service(profile_params_->ssl_config_service);
-
   ChromeNetworkDelegate* chrome_network_delegate_unowned = nullptr;
   if (!base::FeatureList::IsEnabled(network::features::kNetworkService)) {
     std::unique_ptr<ChromeNetworkDelegate> chrome_network_delegate(

chrome/browser/profiles/profile_io_data.h

@@ -77,7 +77,6 @@ class ClientCertStore;
 class CookieStore;
 class HttpTransactionFactory;
 class ReportSender;
-class SSLConfigService;
 class URLRequestContextBuilder;
 class URLRequestJobFactoryImpl;
 
@@ -346,7 +345,6 @@ class ProfileIOData {
 
     scoped_refptr<content_settings::CookieSettings> cookie_settings;
     scoped_refptr<HostContentSettingsMap> host_content_settings_map;
-    scoped_refptr<net::SSLConfigService> ssl_config_service;
 #if BUILDFLAG(ENABLE_EXTENSIONS)
     scoped_refptr<extensions::InfoMap> extension_info_map;
 #endif

chrome/browser/ssl/ssl_config_service_manager.h

@@ -5,38 +5,36 @@
 #ifndef CHROME_BROWSER_SSL_SSL_CONFIG_SERVICE_MANAGER_H_
 #define CHROME_BROWSER_SSL_SSL_CONFIG_SERVICE_MANAGER_H_
 
-#include "base/memory/ref_counted.h"
-
-namespace base {
-class SingleThreadTaskRunner;
-}
-
-namespace net {
-class SSLConfigService;
-}  // namespace net
+#include "services/network/public/mojom/network_service.mojom.h"
+#include "services/network/public/mojom/ssl_config.mojom.h"
 
 class PrefService;
 class PrefRegistrySimple;
 
-// An interface for creating SSLConfigService objects.
+// An interface for sending updated network::mojom::SSLConfigs to one or more
+// network::Mojom::SSLConfigClients. Not threadsafe.
 class SSLConfigServiceManager {
  public:
   // Create an instance of the SSLConfigServiceManager. The lifetime of the
   // PrefService objects must be longer than that of the manager. Get SSL
   // preferences from local_state object.
   static SSLConfigServiceManager* CreateDefaultManager(
-      PrefService* local_state,
-      const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner);
+      PrefService* local_state);
 
   static void RegisterPrefs(PrefRegistrySimple* registry);
 
   virtual ~SSLConfigServiceManager() {}
 
-  // Get an SSLConfigService instance.  It may be a new instance or the manager
-  // may return the same instance multiple times.
-  // The caller should hold a reference as long as it needs the instance (eg,
-  // using scoped_refptr.)
-  virtual net::SSLConfigService* Get() = 0;
+  // Populates the SSLConfig-related members of |network_context_params|
+  // (|initial_ssl_config| and |ssl_config_client_request|). Updated SSLConfigs
+  // will be send to the NetworkContext created with those params whenever the
+  // configuration changes. Can be called more than once to inform multiple
+  // NetworkContexts of changes.
+  virtual void AddToNetworkContextParams(
+      network::mojom::NetworkContextParams* network_context_params) = 0;
+
+  // Flushes all SSLConfigClient mojo pipes, to avoid races in tests.
+  virtual void FlushForTesting() = 0;
 };
 
 #endif  // CHROME_BROWSER_SSL_SSL_CONFIG_SERVICE_MANAGER_H_

chrome/browser/ui/app_list/test/fake_profile.cc

@@ -163,10 +163,6 @@ net::URLRequestContextGetter* FakeProfile::GetRequestContextForExtensions() {
   return nullptr;
 }
 
-net::SSLConfigService* FakeProfile::GetSSLConfigService() {
-  return nullptr;
-}
-
 bool FakeProfile::IsSameProfile(Profile* profile) {
   return false;
 }

chrome/browser/ui/app_list/test/fake_profile.h

@@ -76,7 +76,6 @@ class FakeProfile : public Profile {
   PrefService* GetOffTheRecordPrefs() override;
   net::URLRequestContextGetter* GetRequestContext() override;
   net::URLRequestContextGetter* GetRequestContextForExtensions() override;
-  net::SSLConfigService* GetSSLConfigService() override;
   bool IsSameProfile(Profile* profile) override;
   base::Time GetStartTime() const override;
   base::FilePath last_selected_directory() override;

chrome/test/base/testing_profile.cc

@@ -843,12 +843,6 @@ net::URLRequestContextGetter* TestingProfile::GetRequestContextForExtensions() {
   return extensions_request_context_.get();
 }
 
-net::SSLConfigService* TestingProfile::GetSSLConfigService() {
-  if (!GetRequestContext())
-    return NULL;
-  return GetRequestContext()->GetURLRequestContext()->ssl_config_service();
-}
-
 content::ResourceContext* TestingProfile::GetResourceContext() {
   if (!resource_context_)
     resource_context_ = new content::MockResourceContext();

chrome/test/base/testing_profile.h

@@ -309,7 +309,6 @@ class TestingProfile : public Profile {
 #endif  // !defined(OS_ANDROID)
   net::URLRequestContextGetter* GetRequestContext() override;
   net::URLRequestContextGetter* GetRequestContextForExtensions() override;
-  net::SSLConfigService* GetSSLConfigService() override;
   void set_last_session_exited_cleanly(bool value) {
     last_session_exited_cleanly_ = value;
   }

net/ssl/ssl_config_service.cc

@@ -12,6 +12,29 @@
 
 namespace net {
 
+namespace {
+
+// Checks if the config-service managed fields in two SSLConfigs are the same.
+bool SSLConfigsAreEqual(const net::SSLConfig& config1,
+                        const net::SSLConfig& config2) {
+  return std::tie(config1.rev_checking_enabled,
+                  config1.rev_checking_required_local_anchors,
+                  config1.sha1_local_anchors_enabled,
+                  config1.symantec_enforcement_disabled, config1.version_min,
+                  config1.version_max, config1.tls13_variant,
+                  config1.disabled_cipher_suites, config1.channel_id_enabled,
+                  config1.false_start_enabled, config1.require_ecdhe) ==
+         std::tie(config2.rev_checking_enabled,
+                  config2.rev_checking_required_local_anchors,
+                  config2.sha1_local_anchors_enabled,
+                  config2.symantec_enforcement_disabled, config2.version_min,
+                  config2.version_max, config2.tls13_variant,
+                  config2.disabled_cipher_suites, config2.channel_id_enabled,
+                  config2.false_start_enabled, config2.require_ecdhe);
+}
+
+}  // namespace
+
 SSLConfigService::SSLConfigService()
     : observer_list_(base::ObserverListPolicy::EXISTING_ONLY) {}
 
@@ -72,27 +95,18 @@ void SSLConfigService::NotifySSLConfigChange() {
     observer.OnSSLConfigChanged();
 }
 
+bool SSLConfigService::SSLConfigsAreEqualForTesting(
+    const net::SSLConfig& config1,
+    const net::SSLConfig& config2) {
+  return SSLConfigsAreEqual(config1, config2);
+}
+
 SSLConfigService::~SSLConfigService() = default;
 
 void SSLConfigService::ProcessConfigUpdate(const SSLConfig& old_config,
                                            const SSLConfig& new_config) {
-  bool config_changed =
-      std::tie(old_config.rev_checking_enabled,
-               old_config.rev_checking_required_local_anchors,
-               old_config.sha1_local_anchors_enabled,
-               old_config.symantec_enforcement_disabled, old_config.version_min,
-               old_config.version_max, old_config.tls13_variant,
-               old_config.disabled_cipher_suites, old_config.channel_id_enabled,
-               old_config.false_start_enabled, old_config.require_ecdhe) !=
-      std::tie(new_config.rev_checking_enabled,
-               new_config.rev_checking_required_local_anchors,
-               new_config.sha1_local_anchors_enabled,
-               new_config.symantec_enforcement_disabled, new_config.version_min,
-               new_config.version_max, new_config.tls13_variant,
-               new_config.disabled_cipher_suites, new_config.channel_id_enabled,
-               new_config.false_start_enabled, new_config.require_ecdhe);
-
-  if (config_changed)
+  // Do nothing if the configuration hasn't changed.
+  if (!SSLConfigsAreEqual(old_config, new_config))
     NotifySSLConfigChange();
 }
 

net/ssl/ssl_config_service.h

@@ -70,6 +70,10 @@ class NET_EXPORT SSLConfigService
   // called on the IO thread.
   void NotifySSLConfigChange();
 
+  // Checks if the config-service managed fields in two SSLConfigs are the same.
+  static bool SSLConfigsAreEqualForTesting(const net::SSLConfig& config1,
+                                           const net::SSLConfig& config2);
+
  protected:
   friend class base::RefCountedThreadSafe<SSLConfigService>;
 

services/network/BUILD.gn

@@ -70,6 +70,10 @@ component("network_service") {
     "socket_data_pump.h",
     "socket_factory.cc",
     "socket_factory.h",
+    "ssl_config_service_mojo.cc",
+    "ssl_config_service_mojo.h",
+    "ssl_config_type_converter.cc",
+    "ssl_config_type_converter.h",
     "tcp_connected_socket.cc",
     "tcp_connected_socket.h",
     "tcp_server_socket.cc",
@@ -181,6 +185,7 @@ source_set("tests") {
     "resource_scheduler_unittest.cc",
     "restricted_cookie_manager_unittest.cc",
     "socket_data_pump_unittest.cc",
+    "ssl_config_service_mojo_unittest.cc",
     "tcp_socket_unittest.cc",
     "test/test_url_loader_factory_unittest.cc",
     "test_chunked_data_pipe_getter.cc",

services/network/OWNERS

@@ -13,6 +13,8 @@ per-file cross_origin_read_blocking*=lukasza@chromium.org
 
 per-file manifest.json=set noparent
 per-file manifest.json=file://ipc/SECURITY_OWNERS
+per-file *_type_converter*.*=set noparent
+per-file *_type_converter*.*=file://ipc/SECURITY_OWNERS
 
 per-file network_sandbox_hook_linux.*.cc=file://sandbox/OWNERS
 per-file network_sandbox_win.*=file://sandbox/win/OWNERS

services/network/network_context.cc

@@ -65,6 +65,7 @@
 #include "services/network/public/cpp/network_switches.h"
 #include "services/network/resource_scheduler_client.h"
 #include "services/network/restricted_cookie_manager.h"
+#include "services/network/ssl_config_service_mojo.h"
 #include "services/network/throttling/network_conditions.h"
 #include "services/network/throttling/throttling_controller.h"
 #include "services/network/throttling/throttling_network_transaction_factory.h"
@@ -674,6 +675,10 @@ URLRequestContextOwner NetworkContext::ApplyContextParamsToBuilder(
     builder->EnableHttpCache(cache_params);
   }
 
+  builder->set_ssl_config_service(base::MakeRefCounted<SSLConfigServiceMojo>(
+      std::move(network_context_params->initial_ssl_config),
+      std::move(network_context_params->ssl_config_client_request)));
+
   if (!network_context_params->initial_proxy_config &&
       !network_context_params->proxy_config_client_request.is_pending()) {
     network_context_params->initial_proxy_config =

services/network/public/mojom/BUILD.gn

@@ -90,6 +90,7 @@ mojom("mojom") {
     "request_context_frame_type.mojom",
     "restricted_cookie_manager.mojom",
     "signed_tree_head.mojom",
+    "ssl_config.mojom",
     "tcp_socket.mojom",
     "tls_socket.mojom",
     "url_loader.mojom",

services/network/public/mojom/network_context.mojom

@@ -15,6 +15,7 @@ import "services/network/public/mojom/ct_log_info.mojom";
 import "services/network/public/mojom/mutable_network_traffic_annotation_tag.mojom";
 import "services/network/public/mojom/proxy_config.mojom";
 import "services/network/public/mojom/proxy_config_with_annotation.mojom";
+import "services/network/public/mojom/ssl_config.mojom";
 import "services/network/public/mojom/tcp_socket.mojom";
 import "services/network/public/mojom/udp_socket.mojom";
 import "services/network/public/mojom/url_loader.mojom";
@@ -105,6 +106,12 @@ struct NetworkContextParams {
   // Enables HTTP/0.9 on ports other than 80 for HTTP and 443 for HTTPS.
   bool http_09_on_non_default_ports_enabled = false;
 
+  // SSL configuration. |intial_proxy_config| is the initial SSL configuration
+  // to use. If nullptr, uses the default configuration. Updated SSL
+  // configurations can be passed in via |ssl_config_client_request|.
+  SSLConfig? initial_ssl_config;
+  SSLConfigClient&? ssl_config_client_request;
+
   // Proxy configuration. If |intial_proxy_config| is set, it's the initial
   // proxy configuration. Updated proxy configuration can be passed in via
   // |proxy_config_client_request|. If |initial_proxy_config| is not set,

services/network/public/mojom/ssl_config.mojom

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+module network.mojom;
+
+enum SSLVersion {
+  kTLS1,
+  kTLS11,
+  kTLS12,
+  kTLS13,
+};
+
+// Versions of TLS 1.3 that are supported.
+enum TLS13Variant {
+  kDraft23,
+};
+
+// This contains the subset of net::SSLConfig members that are managed by the
+// net::SSLConfigService. See net::SSLConfig for field descriptions.
+struct SSLConfig {
+  bool rev_checking_enabled = false;
+  bool rev_checking_required_local_anchors = false;
+
+  bool sha1_local_anchors_enabled = false;
+  bool symantec_enforcement_disabled = false;
+
+  // SSL 2.0 and 3.0 are not supported.
+  SSLVersion version_min = kTLS1;
+  SSLVersion version_max = kTLS12;
+
+  TLS13Variant tls13_variant = kDraft23;
+
+  // Though cipher suites are sent in TLS as "uint8_t CipherSuite[2]", in
+  // big-endian form, they should be declared in host byte order, with the
+  // first uint8_t occupying the most significant byte.
+  // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
+  // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
+  array<uint16> disabled_cipher_suites;
+};
+
+// Receives SSL configuration updates.
+interface SSLConfigClient {
+  OnSSLConfigUpdated(SSLConfig ssl_config);
+};

services/network/ssl_config_service_mojo.cc

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "services/network/ssl_config_service_mojo.h"
+
+#include "mojo/public/cpp/bindings/type_converter.h"
+#include "services/network/ssl_config_type_converter.h"
+
+namespace network {
+
+SSLConfigServiceMojo::SSLConfigServiceMojo(
+    mojom::SSLConfigPtr initial_config,
+    mojom::SSLConfigClientRequest ssl_config_client_request)
+    : binding_(this),
+      ssl_config_(initial_config ? mojo::ConvertTo<net::SSLConfig>(
+                                       std::move(initial_config))
+                                 : net::SSLConfig()) {
+  if (ssl_config_client_request)
+    binding_.Bind(std::move(ssl_config_client_request));
+}
+
+void SSLConfigServiceMojo::OnSSLConfigUpdated(mojom::SSLConfigPtr ssl_config) {
+  net::SSLConfig old_config = ssl_config_;
+  ssl_config_ = mojo::ConvertTo<net::SSLConfig>(std::move(ssl_config));
+  ProcessConfigUpdate(old_config, ssl_config_);
+}
+
+void SSLConfigServiceMojo::GetSSLConfig(net::SSLConfig* ssl_config) {
+  *ssl_config = ssl_config_;
+}
+
+SSLConfigServiceMojo::~SSLConfigServiceMojo() {}
+
+}  // namespace network

services/network/ssl_config_service_mojo.h

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SERVICES_NETWORK_SSL_CONFIG_SERVICE_MOJO_H_
+#define SERVICES_NETWORK_SSL_CONFIG_SERVICE_MOJO_H_
+
+#include "base/component_export.h"
+#include "mojo/public/cpp/bindings/binding.h"
+#include "net/ssl/ssl_config.h"
+#include "net/ssl/ssl_config_service.h"
+#include "services/network/public/mojom/ssl_config.mojom.h"
+
+namespace network {
+
+// An SSLConfigClient that serves as a net::SSLConfigService, listening to
+// SSLConfig changes on a Mojo pipe, and providing access to the updated config.
+class COMPONENT_EXPORT(NETWORK_SERVICE) SSLConfigServiceMojo
+    : public mojom::SSLConfigClient,
+      public net::SSLConfigService {
+ public:
+  // If |ssl_config_client_request| is not provided, just sticks with the
+  // initial configuration.
+  SSLConfigServiceMojo(mojom::SSLConfigPtr initial_config,
+                       mojom::SSLConfigClientRequest ssl_config_client_request);
+
+  // mojom::SSLConfigClient implementation:
+  void OnSSLConfigUpdated(const mojom::SSLConfigPtr ssl_config) override;
+
+  // net::SSLConfigClient implementation:
+  void GetSSLConfig(net::SSLConfig* ssl_config) override;
+
+ private:
+  ~SSLConfigServiceMojo() override;
+
+  mojo::Binding<mojom::SSLConfigClient> binding_;
+
+  net::SSLConfig ssl_config_;
+
+  DISALLOW_COPY_AND_ASSIGN(SSLConfigServiceMojo);
+};
+
+}  // namespace network
+
+#endif  // SERVICES_NETWORK_SSL_CONFIG_SERVICE_MOJO_H_

services/network/ssl_config_type_converter.cc

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "services/network/ssl_config_type_converter.h"
+
+namespace {
+
+int MojoSSLVersionToNetSSLVersion(network::mojom::SSLVersion mojo_version) {
+  switch (mojo_version) {
+    case network::mojom::SSLVersion::kTLS1:
+      return net::SSL_PROTOCOL_VERSION_TLS1;
+    case network::mojom::SSLVersion::kTLS11:
+      return net::SSL_PROTOCOL_VERSION_TLS1_1;
+    case network::mojom::SSLVersion::kTLS12:
+      return net::SSL_PROTOCOL_VERSION_TLS1_2;
+    case network::mojom::SSLVersion::kTLS13:
+      return net::SSL_PROTOCOL_VERSION_TLS1_3;
+  }
+  NOTREACHED();
+  return net::SSL_PROTOCOL_VERSION_TLS1_2;
+}
+
+net::TLS13Variant MojoTLS13VariantToNetTLS13Variant(
+    network::mojom::TLS13Variant tls13_variant) {
+  switch (tls13_variant) {
+    case network::mojom::TLS13Variant::kDraft23:
+      return net::kTLS13VariantDraft23;
+  }
+  NOTREACHED();
+  return net::kTLS13VariantDraft23;
+}
+
+}  // namespace
+
+namespace mojo {
+
+net::SSLConfig
+TypeConverter<net::SSLConfig, network::mojom::SSLConfigPtr>::Convert(
+    const network::mojom::SSLConfigPtr& mojo_config) {
+  DCHECK(mojo_config);
+
+  net::SSLConfig net_config;
+
+  net_config.rev_checking_enabled = mojo_config->rev_checking_enabled;
+  net_config.rev_checking_required_local_anchors =
+      mojo_config->rev_checking_required_local_anchors;
+
+  net_config.sha1_local_anchors_enabled =
+      mojo_config->sha1_local_anchors_enabled;
+  net_config.symantec_enforcement_disabled =
+      mojo_config->symantec_enforcement_disabled;
+
+  net_config.version_min =
+      MojoSSLVersionToNetSSLVersion(mojo_config->version_min);
+  net_config.version_max =
+      MojoSSLVersionToNetSSLVersion(mojo_config->version_max);
+  DCHECK_LE(net_config.version_min, net_config.version_max);
+
+  net_config.tls13_variant =
+      MojoTLS13VariantToNetTLS13Variant(mojo_config->tls13_variant);
+
+  for (uint16_t cipher_suite : mojo_config->disabled_cipher_suites) {
+    net_config.disabled_cipher_suites.push_back(cipher_suite);
+  }
+  return net_config;
+}
+
+}  // namespace mojo

services/network/ssl_config_type_converter.h

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SERVICES_NETWORK_SSL_CONFIG_TYPE_CONVERTER_H_
+#define SERVICES_NETWORK_SSL_CONFIG_TYPE_CONVERTER_H_
+
+#include "mojo/public/cpp/bindings/type_converter.h"
+#include "net/ssl/ssl_config.h"
+#include "services/network/public/mojom/ssl_config.mojom.h"
+
+namespace mojo {
+
+// Converts a net::SSLConfig to network::mojom::SSLConfigPtr. Tested in
+// SSLConfigServiceMojo's unittests.
+template <>
+struct TypeConverter<net::SSLConfig, network::mojom::SSLConfigPtr> {
+  static net::SSLConfig Convert(
+      const network::mojom::SSLConfigPtr& mojo_config);
+};
+
+}  // namespace mojo
+
+#endif  // SERVICES_NETWORK_SSL_CONFIG_TYPE_CONVERTER_H_

testing/buildbot/filters/mojo.fyi.network_browser_tests.filter

@@ -17,6 +17,8 @@
 -ProfileWindowBrowserTest.GuestClearsCookies
 -ProxySettingsApiTest.ProxyEventsInvalidProxy
 -RegisterProtocolHandlerBrowserTest.CustomHandler
+-SSLUITest.TestBadHTTPSDownload/0
+-SSLUITest.TestBadHTTPSDownload/1
 -SubresourceFilterBrowserTest.FailedProvisionalLoadInMainframe
 -WebstoreInstallerBrowserTest.SimultaneousInstall
 -WebViewTest.WebViewInBackgroundPage
@@ -133,13 +135,8 @@
 -IOThreadBrowserTestWithHangingPacRequest.Shutdown
 -ProxySettingsApiTest.ProxyEventsParseError
 
-# https://bugs.chromium.org/p/chromium/issues/detail?id=755309
--SSLUITest.SHA1PrefsCanEnable/0
--SSLUITest.SHA1PrefsCanEnable/1
--SSLUITest.TestBadHTTPSDownload/0
--SSLUITest.TestBadHTTPSDownload/1
--SSLUITest.TestHTTPSOCSPOk/0
--SSLUITest.TestHTTPSOCSPOk/1
+# SetURLRequestContextForNSSHttpIO / SetGlobalCertNetFetcher are not called
+# in the network process.
 -SSLUITest.TestHTTPSOCSPRevoked/0
 -SSLUITest.TestHTTPSOCSPRevoked/1