diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-13 17:54:42 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-13 17:54:42 +0000 |
| commit | 127017875991e4a1b3d12dfff23d70265f991ef6 (patch) | |
| tree | fc697789fb31e1c0fc137163aee660ba79f839d8 /net/base/ssl_config_service.h | |
| parent | ad8c2293824aecaf34ecdcd1f01720919afac6db (diff) | |
| download | chromium_src-127017875991e4a1b3d12dfff23d70265f991ef6.zip chromium_src-127017875991e4a1b3d12dfff23d70265f991ef6.tar.gz chromium_src-127017875991e4a1b3d12dfff23d70265f991ef6.tar.bz2 | |
Implement SSL certificate error handling on the Mac. If the user gives
us bad certs to allow, we tell SecureTransport to not verify the server
cert, and only allow the cert to be one of the bad certs the user allows.
In the future we should figure out how to verify the server cert ourselves.
R=avi,eroman
BUG=http://crbug.com/11983
TEST=Visit https://www.ssl247.com/ and https://alioth.debian.org/. Clicking
the "Proceed anyway" button should bring you to the site with a red
"https" in the location bar.
Review URL: http://codereview.chromium.org/165191
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23321 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base/ssl_config_service.h')
| -rw-r--r-- | net/base/ssl_config_service.h | 34 |
1 files changed, 25 insertions, 9 deletions
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index 388b255..5354b3e 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -2,10 +2,10 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef NET_BASE_SSL_CONFIG_SERVICE_H__ -#define NET_BASE_SSL_CONFIG_SERVICE_H__ +#ifndef NET_BASE_SSL_CONFIG_SERVICE_H_ +#define NET_BASE_SSL_CONFIG_SERVICE_H_ -#include <set> +#include <vector> #include "base/time.h" #include "net/base/x509_certificate.h" @@ -30,11 +30,27 @@ struct SSLConfig { // TODO(wtc): move the following members to a new SSLParams structure. They // are not SSL configuration settings. - // Add any known-bad SSL certificates to allowed_bad_certs_ that should not - // trigger an ERR_CERT_*_INVALID error when calling SSLClientSocket::Connect. - // This would normally be done in response to the user explicitly accepting - // the bad certificate. - std::set<scoped_refptr<X509Certificate> > allowed_bad_certs_; + struct CertAndStatus { + scoped_refptr<X509Certificate> cert; + int cert_status; + }; + + // Returns true if |cert| is one of the certs in |allowed_bad_certs|. + // TODO(wtc): Move this to a .cc file. ssl_config_service.cc is Windows + // only right now, so I can't move it there. + bool IsAllowedBadCert(X509Certificate* cert) const { + for (size_t i = 0; i < allowed_bad_certs.size(); ++i) { + if (cert == allowed_bad_certs[i].cert) + return true; + } + return false; + } + + // Add any known-bad SSL certificate (with its cert status) to + // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when + // calling SSLClientSocket::Connect. This would normally be done in + // response to the user explicitly accepting the bad certificate. + std::vector<CertAndStatus> allowed_bad_certs; // True if we should send client_cert to the server. bool send_client_cert; @@ -87,4 +103,4 @@ class SSLConfigService { } // namespace net -#endif // NET_BASE_SSL_CONFIG_SERVICE_H__ +#endif // NET_BASE_SSL_CONFIG_SERVICE_H_ |