Expose TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 on the deprecated cipher fallback.

It's believed that the majority (over 80%) of TLS version downgrades remaining come from out-of-date IIS servers with the AES-GCM bug (crbug/433406). From probing servers some time back, it appears that, of those, the IIS 8.0 ones prefer TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 over the broken GCMs. Adding that cipher may drive the number down enough to be worthwhile. Experimentally add this cipher to the list to see what it does to the metrics. It may yet be worth trying to drop the fallback without this workaround, since the server-side fix is so easy, but run with this a bit to get numbers on what the options are. As we otherwise would not have exposed a new legacy CBC mode cipher, this cipher is placed on the deprecated cipher fallback. This way we can continue to monitor things which need it and hopefully eventually phase it out once the install-base has taken their updates. BUG=536200 Review URL: https://codereview.chromium.org/1366253005 Cr-Commit-Position: refs/heads/master@{#351205}

Expose TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 on the deprecated cipher fallback.
It's believed that the majority (over 80%) of TLS version downgrades remaining come from out-of-date IIS servers with the AES-GCM bug (crbug/433406). From probing servers some time back, it appears that, of those, the IIS 8.0 ones prefer TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 over the broken GCMs. Adding that cipher may drive the number down enough to be worthwhile. Experimentally add this cipher to the list to see what it does to the metrics. It may yet be worth trying to drop the fallback without this workaround, since the server-side fix is so easy, but run with this a bit to get numbers on what the options are. As we otherwise would not have exposed a new legacy CBC mode cipher, this cipher is placed on the deprecated cipher fallback. This way we can continue to monitor things which need it and hopefully eventually phase it out once the install-base has taken their updates. BUG=536200 Review URL: https://codereview.chromium.org/1366253005 Cr-Commit-Position: refs/heads/master@{#351205}
91585690 · davidben · Commit bot · 6bdf645d · 91585690
Commit 91585690 authored Sep 28, 2015 by davidben Committed by Commit bot Sep 28, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 3 deletions

net/socket/ssl_client_socket_openssl.cc net/socket/ssl_client_socket_openssl.cc +10 -3

No files found.
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -883,10 +883,10 @@ int SSLClientSocketOpenSSL::Init() {
  STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_);
  DCHECK(ciphers);
  // See SSLConfig::disabled_cipher_suites for description of the suites
-  // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256
+  // disabled by default. Note that SHA256 and SHA384 only select HMAC-SHA256
  // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384
  // as the handshake hash.
-  std::string command("DEFAULT:!SHA256:!SHA384:!AESGCM+AES256:!aPSK");
+  std::string command("DEFAULT:!SHA256:-SHA384:!AESGCM+AES256:!aPSK");
  // Walk through all the installed ciphers, seeing if any need to be
  // appended to the cipher removal |command|.
  for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {
@@ -911,8 +911,15 @@ int SSLClientSocketOpenSSL::Init() {
     }
  }

-  if (!ssl_config_.enable_deprecated_cipher_suites)
+  if (!ssl_config_.enable_deprecated_cipher_suites) {
    command.append(":!RC4");
+  } else {
+    // Add TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 under a fallback. This is
+    // believed to work around a bug in some out-of-date Microsoft IIS servers
+    // which cause them to require the version downgrade
+    // (https://crbug.com/433406).
+    command.append(":ECDHE-RSA-AES256-SHA384");
+  }

  // Disable ECDSA cipher suites on platforms that do not support ECDSA
  // signed certificates, as servers may use the presence of such