Remove TLS 1.3 downgrade policy and associated flags.

As documented, the policy is to be retired after M85. This policy was a temporary workaround for potential compatibility issues due to buggy and insecure enterprise proxies. (cherry picked from commit 94c7e180e2074fcd7c98acf4b61a1543ef08b2fc) Bug: 1012400 Change-Id: Ia47e544b8f7ed546633351d7c55c40c366e1d032 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2324170 Reviewed-by: Emily Stark <[email protected]> Reviewed-by: Steven Valdez <[email protected]> Reviewed-by: Charlie Harrison <[email protected]> Reviewed-by: Pavol Marko <[email protected]> Reviewed-by: Matt Menke <[email protected]> Commit-Queue: Matt Menke <[email protected]> Auto-Submit: David Benjamin <[email protected]> Cr-Commit-Position: refs/heads/master@{#793713}
youtube · Jan 21, 2024 · d0240f4 · d0240f4
1 parent 78c8bca
commit d0240f4
Showing 1 changed file with 0 additions and 19 deletions.
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
@@ -83,12 +83,6 @@ const int kSSLClientSocketNoPendingResult = 1;
 // Default size of the internal BoringSSL buffers.
 const int kDefaultOpenSSLBufferSize = 17 * 1024;
 
-// This feature disables the TLS 1.3 downgrade protection that may be triggered
-// by buggy TLS-terminating proxies. It will be removed once TLS 1.3 is
-// successfully deployed without needing to disable this feature.
-const base::Feature kIgnoreTLS13Downgrade{"IgnoreTLS13Downgrade",
-                                          base::FEATURE_DISABLED_BY_DEFAULT};
-
 std::unique_ptr<base::Value> NetLogPrivateKeyOperationCallback(
     uint16_t algorithm,
     NetLogCaptureMode mode) {
@@ -352,10 +346,6 @@ class SSLClientSocketImpl::SSLContext {
 
     SSL_CTX_set_grease_enabled(ssl_ctx_.get(), 1);
 
-    if (base::FeatureList::IsEnabled(kIgnoreTLS13Downgrade)) {
-      SSL_CTX_set_ignore_tls13_downgrade(ssl_ctx_.get(), 1);
-    }
-
     // Deduplicate all certificates minted from the SSL_CTX in memory.
     SSL_CTX_set0_buffer_pool(ssl_ctx_.get(), x509_util::GetBufferPool());
 
@@ -1089,15 +1079,6 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) {
     base::UmaHistogramSparse("Net.SSLSignatureAlgorithm", signature_algorithm);
   }
 
-  if (base::FeatureList::IsEnabled(kIgnoreTLS13Downgrade) &&
-      IsTLS13ExperimentHost(host_and_port_.host())) {
-    // Record whether the TLS 1.3 anti-downgrade mechanism has fired. This is
-    // only recorded when enforcement is disabled. See
-    // https://crbug.com/boringssl/226.
-    UMA_HISTOGRAM_BOOLEAN("Net.SSLTLS13DowngradeTLS13Experiment",
-                          !!SSL_is_tls13_downgrade(ssl_.get()));
-  }
-
   // Verify the certificate.
   next_handshake_state_ = STATE_VERIFY_CERT;
   return OK;