Change the bad-certificate handler for SSL (using NSS) to return an

error.

This requires a few additional changes in the rest of the code. In
particular, we now have to teach HttpNetworkTransaction about how to
restart connections with bad certificates. This was originally
intended to be done by ReconnectIgnoringLastError(), but that API
turns out be very difficult to implement in the SSLClientSocket. So,
instead, we just create a completely new SSLClientSocket.

We also have to be careful to store a copy of the certificate from
within the bad-certificate handler, as it won't be available by the
time GetSSLInfo() is called.

And we fix a bug that would cause us to erroneously talk SSL on
reconnected TCP sockets, even though we were still supposed to
negotiate a proxy tunnel first.

Review URL: http://codereview.chromium.org/43115

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@12809 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 9 insertions, 0 deletions

diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
index 96d42a2..8d1edb1 100644
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -5,7 +5,10 @@
 #ifndef NET_BASE_SSL_CONFIG_SERVICE_H__
 #define NET_BASE_SSL_CONFIG_SERVICE_H__
 
+#include <set>
+
 #include "base/time.h"
+#include "net/base/x509_certificate.h"
 
 namespace net {
 
@@ -23,6 +26,12 @@ struct SSLConfig {
   bool ssl2_enabled;  // True if SSL 2.0 is enabled.
   bool ssl3_enabled;  // True if SSL 3.0 is enabled.
   bool tls1_enabled;  // True if TLS 1.0 is enabled.
+
+  // Add any known-bad SSL certificates to allowed_bad_certs_ that should not
+  // trigger a certificate error when calling SSLClientSocket::Connect.
+  // This would normally be done in response to the user explicitly accepting
+  // the bad certificate.
+  std::set<scoped_refptr<X509Certificate> > allowed_bad_certs_;
 };
 
 // This class is responsible for getting and setting the SSL configuration.