1. 客户端报SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN错误时，不作为maybe pinning; 2. ssl policy中增加protocol_errors的bypass开关。

platform/src/ssl_service_cache.cpp

@@ -5,11 +5,13 @@
 #include <string.h>
 
 #define	FAIL_AS_PINNING_COUNT	4
-#define	FAIL_AS_PINNING_TIME	30
+#define	FAIL_TIME_WINDOW		30
+#define	FAIL_AS_PROTO_ERR_COUNT	5
 struct ssl_svc_client_st
 {
 	time_t last_update_time;
-	unsigned int fail_count;
+	unsigned int suspect_pinning_count;	
+	unsigned int protocol_error_count;
 	char is_mutual_auth;
 	struct ssl_service_cache* ref_svc_cache;
 };
@@ -40,7 +42,7 @@ static void ssl_svc_free_client_st(void * data)
 	{
 		svc_cache->stat.mutual_auth_cli_cnt--;
 	}
-	if(p->fail_count>=FAIL_AS_PINNING_COUNT)
+	if(p->suspect_pinning_count>=FAIL_AS_PINNING_COUNT)
 	{
 		svc_cache->stat.pinning_cli_cnt--;
 	}
@@ -80,11 +82,11 @@ static long cli_st_read_cb(void * data, const uchar * key, uint size, void * use
 	{
 		return 0;
 	}
-	if(cli_st->fail_count==0)
+	if(cli_st->suspect_pinning_count==0)
 	{		
 		result->pinning_status=PINNING_ST_NOT_PINNING;
 	}
-	else if(cli_st->fail_count<FAIL_AS_PINNING_COUNT)
+	else if(cli_st->suspect_pinning_count<FAIL_AS_PINNING_COUNT)
 	{
 		result->pinning_status=PINNING_ST_MAYBE_PINNING;
 	}
@@ -92,6 +94,10 @@ static long cli_st_read_cb(void * data, const uchar * key, uint size, void * use
 	{
 		result->pinning_status=PINNING_ST_PINNING;
 	}
+	if(cli_st->protocol_error_count>=FAIL_AS_PROTO_ERR_COUNT)
+	{
+		result->has_protocol_errors=1;
+	}
 	result->is_mutual_auth=cli_st->is_mutual_auth;
 	return 1;
 }
@@ -110,37 +116,44 @@ static long cli_st_write_cb(void * data, const uchar * key, uint size, void * us
 		ret = MESA_htable_add(cache->cli_st_hash, key, size, cli_st);
 		assert(ret >= 0);
 	}
-	if(cli_st->fail_count<FAIL_AS_PINNING_COUNT && cli_st->last_update_time-now>FAIL_AS_PINNING_TIME)
+	if(cli_st->last_update_time-now>FAIL_TIME_WINDOW)
 	{
-		cli_st->fail_count=0;
+		if(cli_st->suspect_pinning_count<FAIL_AS_PINNING_COUNT)		cli_st->suspect_pinning_count=0;
+		if(cli_st->protocol_error_count<FAIL_AS_PROTO_ERR_COUNT)	cli_st->protocol_error_count=0;
 	}
-	if(status->pinning_status!=PINNING_ST_NOT_PINNING && cli_st->fail_count<FAIL_AS_PINNING_COUNT)
+	if(status->pinning_status!=PINNING_ST_NOT_PINNING && cli_st->suspect_pinning_count<FAIL_AS_PINNING_COUNT)
 	{
 		if(status->pinning_status==PINNING_ST_PINNING)
 		{
-			cli_st->fail_count=FAIL_AS_PINNING_COUNT;
+			cli_st->suspect_pinning_count=FAIL_AS_PINNING_COUNT;
 		}
 		else
 		{
-			cli_st->fail_count++;
+			cli_st->suspect_pinning_count++;
 		}
-		cli_st->last_update_time=now;
-		if(cli_st->fail_count==FAIL_AS_PINNING_COUNT)
+		if(cli_st->suspect_pinning_count==FAIL_AS_PINNING_COUNT)
 		{
 			cache->stat.pinning_cli_cnt++;
 		}
 	}
 	else if(status->pinning_status==PINNING_ST_PINNING)
 	{
-		cli_st->fail_count=FAIL_AS_PINNING_COUNT;
-		cli_st->last_update_time=now;
+		cli_st->suspect_pinning_count=FAIL_AS_PINNING_COUNT;
+	}
+	if(status->has_protocol_errors)
+	{
+		cli_st->protocol_error_count++;
+		if(cli_st->protocol_error_count==FAIL_AS_PROTO_ERR_COUNT)
+		{
+			cache->stat.proto_err_cli_cnt++;
+		}
 	}
-
 	if(status->is_mutual_auth==1&&cli_st->is_mutual_auth==0)
 	{
 		cache->stat.mutual_auth_cli_cnt++;	
 		cli_st->is_mutual_auth=1;
 	}
+	cli_st->last_update_time=now;	
 	return 1;
 }
 
@@ -224,7 +237,7 @@ void ssl_service_cache_write(struct ssl_service_cache* svc_cache, const struct s
 		return;
 	}
 	struct ssl_service_write_args write_args={svc_cache, status};
-	if(status->is_mutual_auth||status->pinning_status!=PINNING_ST_NOT_PINNING)
+	if(status->is_mutual_auth||status->pinning_status!=PINNING_ST_NOT_PINNING||status->has_protocol_errors)
 	{
 		cli_st_key_sz=ssl_svc_client_st_mk_key(chello, cli_st_key, sizeof(cli_st_key));
 		MESA_htable_search_cb(svc_cache->cli_st_hash, (unsigned char*)cli_st_key, (unsigned int) cli_st_key_sz, cli_st_write_cb, &write_args, &cli_st_cb_ret);