Add revocation checking field trial.

We wish to measure the impact of revocation checking on SSL connection times. This change sets up a 50/50 field trial where members of the trial don't do revocation checking on sites that we currently have certificate pins for. BUG=none TEST=none http://codereview.chromium.org/7113008/ git-svn-id: svn://svn.chromium.org/chrome/trunk/src@88542 0039d316-1c4b-4281-b951-d872f2087c98

Add revocation checking field trial.
We wish to measure the impact of revocation checking on SSL connection times. This change sets up a 50/50 field trial where members of the trial don't do revocation checking on sites that we currently have certificate pins for. BUG=none TEST=none http://codereview.chromium.org/7113008/ git-svn-id: svn://svn.chromium.org/chrome/trunk/src@88542 0039d316-1c4b-4281-b951-d872f2087c98
f906bfeb · agl@chromium.org · f78a8a90 · f906bfeb · f906bfeb · f906bfeb
Commit f906bfeb authored Jun 09, 2011 by agl@chromium.org
6 changed files
--- a/chrome/browser/browser_main.cc
+++ b/chrome/browser/browser_main.cc
@@ -503,6 +503,23 @@ void BrowserMainParts::ConnectBackupJobsFieldTrial() {
  }
 }

+void BrowserMainParts::RevocationCheckingDisabledFieldTrial() {
+  const base::FieldTrial::Probability kDivisor = 100;
+  base::FieldTrial::Probability probability = 50;  // 50/50 trial
+
+  // After August 30, 2011 builds, it will always be in default group.
+  scoped_refptr<base::FieldTrial> trial(
+      new base::FieldTrial(
+          "RevCheckingImpact", kDivisor, "control", 2011, 8, 30));
+
+  int disabled_group = trial->AppendGroup(
+      "disabled", probability);
+
+  int trial_grp = trial->group();
+  if (trial_grp == disabled_group)
+    net::SSLConfigService::DisableRevCheckingForPinnedSites();
+}
+
 // BrowserMainParts: |MainMessageLoopStart()| and related ----------------------

 void BrowserMainParts::MainMessageLoopStart() {
@@ -593,6 +610,7 @@ void BrowserMainParts::SetupFieldTrials(bool metrics_recording_enabled) {
  prerender::ConfigurePrefetchAndPrerender(parsed_command_line());
  SpdyFieldTrial();
  ConnectBackupJobsFieldTrial();
+  RevocationCheckingDisabledFieldTrial();
 }

 // -----------------------------------------------------------------------------

--- a/chrome/browser/browser_main.h
+++ b/chrome/browser/browser_main.h
@@ -129,6 +129,10 @@ class BrowserMainParts {
  // specified timeout value is reached.
  void ConnectBackupJobsFieldTrial();

+  // A/B test for disabling revocation checking for sites with pinned
+  // certificates.
+  void RevocationCheckingDisabledFieldTrial();
+
  // Used to initialize NSPR where appropriate.
  virtual void InitializeSSL() = 0;


--- a/net/base/ssl_config_service.cc
+++ b/net/base/ssl_config_service.cc
@@ -48,6 +48,7 @@ bool SSLConfigService::IsKnownFalseStartIncompatibleServer(

 static bool g_false_start_enabled = true;
 static bool g_dns_cert_provenance_checking = false;
+static bool g_rev_checking_disabled_for_pinned_sites = false;

 // static
 void SSLConfigService::DisableFalseStart() {
@@ -69,6 +70,16 @@ bool SSLConfigService::dns_cert_provenance_checking_enabled() {
  return g_dns_cert_provenance_checking;
 }

+// static
+void SSLConfigService::DisableRevCheckingForPinnedSites() {
+  g_rev_checking_disabled_for_pinned_sites = true;
+}
+
+// static
+bool SSLConfigService::rev_checking_disabled_for_pinned_sites() {
+  return g_rev_checking_disabled_for_pinned_sites;
+}
+
 void SSLConfigService::AddObserver(Observer* observer) {
  observer_list_.AddObserver(observer);
 }

--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -142,6 +142,11 @@ class NET_API SSLConfigService
  static void EnableDNSCertProvenanceChecking();
  static bool dns_cert_provenance_checking_enabled();

+  // Disabled revocation checking for some sites that we have additional
+  // security on.
+  static void DisableRevCheckingForPinnedSites();
+  static bool rev_checking_disabled_for_pinned_sites();
+
  // Is SNI available in this configuration?
  static bool IsSNIAvailable(SSLConfigService* service);


--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1460,8 +1460,18 @@ int SSLClientSocketNSS::DoVerifyCert(int result) {
  }

  int flags = 0;
-  if (ssl_config_.rev_checking_enabled)
-    flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED;
+  if (ssl_config_.rev_checking_enabled) {
+    const std::string& hostname = host_and_port_.host();
+    // is_pinned is an approximation but is currently accurate. Even if more
+    // pinned sites are added, this errs on the site of caution.
+    bool is_pinned = hostname == "google.com" ||
+                     (hostname.size() > 11 &&
+                      hostname.rfind(".google.com") == hostname.size() - 11);
+    if (!is_pinned ||
+        !SSLConfigService::rev_checking_disabled_for_pinned_sites()) {
+      flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED;
+    }
+  }
  if (ssl_config_.verify_ev_cert)
    flags |= X509Certificate::VERIFY_EV_CERT;
  verifier_.reset(new SingleRequestCertVerifier(cert_verifier_));

--- a/net/socket/ssl_client_socket_pool.cc
+++ b/net/socket/ssl_client_socket_pool.cc
@@ -329,19 +329,38 @@ int SSLConnectJob::DoSSLConnectComplete(int result) {
                                 base::TimeDelta::FromMilliseconds(1),
                                 base::TimeDelta::FromMinutes(10),
                                 100);
-    } else {
-      UMA_HISTOGRAM_CUSTOM_TIMES("Net.SSL_Connection_Latency",
+    }
+
+    UMA_HISTOGRAM_CUSTOM_TIMES("Net.SSL_Connection_Latency",
+                               connect_duration,
+                               base::TimeDelta::FromMilliseconds(1),
+                               base::TimeDelta::FromMinutes(10),
+                               100);
+
+    const std::string& host = params_->host_and_port().host();
+    bool is_google = host == "google.com" ||
+                     (host.size() > 11 &&
+                      host.rfind(".google.com") == host.size() - 11);
+    if (is_google) {
+      UMA_HISTOGRAM_CUSTOM_TIMES("Net.SSL_Connection_Latency_Google",
                                 connect_duration,
                                 base::TimeDelta::FromMilliseconds(1),
                                 base::TimeDelta::FromMinutes(10),
                                 100);

-      const std::string& host = params_->host_and_port().host();
-      bool is_google = host == "google.com" ||
-                       (host.size() > 11 &&
-                        host.rfind(".google.com") == host.size() - 11);
-      if (is_google) {
-        UMA_HISTOGRAM_CUSTOM_TIMES("Net.SSL_Connection_Latency_Google",
+      base::FieldTrial* trial = base::FieldTrialList::Find("RevCheckingImpact");
+      if (trial) {
+        std::string histogram_name;
+        if (trial->group() != base::FieldTrial::kDefaultGroupNumber ||
+            !params_->ssl_config().rev_checking_enabled) {
+          histogram_name =
+              "Net.SSL_Connection_Latency_Google_No_Revocation_Checking";
+        } else {
+          histogram_name =
+              "Net.SSL_Connection_Latency_Google_Revocation_Checking";
+        }
+
+        UMA_HISTOGRAM_CUSTOM_TIMES(histogram_name,
                                   connect_duration,
                                   base::TimeDelta::FromMilliseconds(1),
                                   base::TimeDelta::FromMinutes(10),