diff options
| author | dkegel@google.com <dkegel@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-12-07 20:25:46 +0000 |
|---|---|---|
| committer | dkegel@google.com <dkegel@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-12-07 20:25:46 +0000 |
| commit | ea224582f14bb849ccab853de7e63e2ffa75994a (patch) | |
| tree | 696e1da077c7b448f8fed2464a4ce42a88103a9c /base | |
| parent | 3d2b7b5f90e42a435b1ef1f55c39e60c3a846485 (diff) | |
| download | chromium_src-ea224582f14bb849ccab853de7e63e2ffa75994a.zip chromium_src-ea224582f14bb849ccab853de7e63e2ffa75994a.tar.gz chromium_src-ea224582f14bb849ccab853de7e63e2ffa75994a.tar.bz2 | |
Third time's a charm?
Fix part of http://code.google.com/p/chromium/issues/detail?id=4510
and improve https support in test shell on linux.
This is the same as the earlier ssl cert cl
(see http://codereview.chromium.org/11249),
but with the certs moved so net can use them without
reaching over into chrome's pants and causing
test failure on the 'modules' Windows build server,
which is set up to test net and base but not chrome.
For this to pass, we will need to install
the certs on the windows module and try servers.
(And make sure tlslite is present.)
(A later CL will finish implementing SSLInfo for Linux,
and probably reference net/base/ssl_test_util.cc
from all three vcproj files that need it,
even though that's ugly, because that's less ugly
that referencing it from net.lib's vcproj.)
Review URL: http://codereview.chromium.org/12930
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@6495 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'base')
| -rw-r--r-- | base/nss_init.cc | 49 |
1 files changed, 47 insertions, 2 deletions
diff --git a/base/nss_init.cc b/base/nss_init.cc index c8ba44b..df2beea 100644 --- a/base/nss_init.cc +++ b/base/nss_init.cc @@ -9,31 +9,76 @@ // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 // until NSS 3.12.2 comes out and we update to it. #define Lock FOO_NSS_Lock +#include <secmod.h> #include <ssl.h> #undef Lock +#include "base/file_util.h" #include "base/logging.h" #include "base/singleton.h" namespace { +// Load nss's built-in root certs. +SECMODModule *InitDefaultRootCerts() { + const char* kModulePath = "libnssckbi.so"; + char modparams[1024]; + snprintf(modparams, sizeof(modparams), + "name=\"Root Certs\" library=\"%s\"", kModulePath); + SECMODModule *root = SECMOD_LoadUserModule(modparams, NULL, PR_FALSE); + if (root) + return root; + + // Aw, snap. Can't find/load root cert shared library. + // This will make it hard to talk to anybody via https. + NOTREACHED(); + return NULL; +} + class NSSInitSingleton { public: NSSInitSingleton() { + + // Initialize without using a persistant database (e.g. ~/.netscape) CHECK(NSS_NoDB_Init(".") == SECSuccess); - // Enable ciphers + + root_ = InitDefaultRootCerts(); + NSS_SetDomesticPolicy(); + + // Explicitly enable exactly those ciphers with keys of at least 80 bits + for (int i = 0; i < SSL_NumImplementedCiphers; i++) { + SSLCipherSuiteInfo info; + if (SSL_GetCipherSuiteInfo(SSL_ImplementedCiphers[i], &info, + sizeof(info)) == SECSuccess) { + SSL_CipherPrefSetDefault(SSL_ImplementedCiphers[i], + (info.effectiveKeyBits >= 80)); + } + } + // Enable SSL SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); + + // All other SSL options are set per-session by SSLClientSocket } ~NSSInitSingleton() { + if (root_) { + SECMOD_UnloadUserModule(root_); + SECMOD_DestroyModule(root_); + root_ = NULL; + } + // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY SSL_ClearSessionCache(); SECStatus status = NSS_Shutdown(); - DCHECK(status == SECSuccess); + if (status != SECSuccess) + LOG(ERROR) << "NSS_Shutdown failed, leak? See " + "http://code.google.com/p/chromium/issues/detail?id=4609"; } + private: + SECMODModule *root_; }; } // namespace |