Reland http://crrev.com/209278

Update dependency to NSS >= 3.14.3 and NSPR >= 4.9.2 Technically NSS 3.14.3 depends on NSPR 4.9.5, but Debian stable still ships 4.9.2 on stable, so this is the lower bound. 3.14.3 contains a number of important security fixes, and support for older systems is no longer desirable. BUG=245370 TBR=thestig@chromium.org, wtc@chromium.org Review URL: https://chromiumcodereview.appspot.com/20615002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@216296 0039d316-1c4b-4281-b951-d872f2087c98
author: rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-08-07 22:57:00 +0000
committer: rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-08-07 22:57:00 +0000
commit: 805acdc8862c0a843f3a27d0ee15d6279a4f3c92 (patch)
tree: f38cce5c4dd91c0559662c96ee43a2e28104aaa4 /net/cert/cert_verify_proc_nss.cc
parent: 2901975cc78133241b9f46a9a758bbf0506d4362 (diff)
download: chromium_src-805acdc8862c0a843f3a27d0ee15d6279a4f3c92.zip
chromium_src-805acdc8862c0a843f3a27d0ee15d6279a4f3c92.tar.gz
chromium_src-805acdc8862c0a843f3a27d0ee15d6279a4f3c92.tar.bz2
1 files changed, 0 insertions, 29 deletions
diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc
index 120f091..f63297e 100644
--- a/net/cert/cert_verify_proc_nss.cc
+++ b/net/cert/cert_verify_proc_nss.cc
@@ -162,10 +162,6 @@ CertStatus MapCertErrorToCertStatus(int err) {
 void GetCertChainInfo(CERTCertList* cert_list,
                       CERTCertificate* root_cert,
                       CertVerifyResult* verify_result) {
-  // NOTE: Using a NSS library before 3.12.3.1 will crash below.  To see the
-  // NSS version currently in use:
-  // 1. use ldd on the chrome executable for NSS's location (ie. libnss3.so*)
-  // 2. use ident libnss3.so* for the library's version
   DCHECK(cert_list);
 
   CERTCertificate* verified_cert = NULL;
@@ -367,31 +363,6 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
   bool use_crl = check_revocation;
   bool use_ocsp = check_revocation;
 
-  // These CAs have multiple keys, which trigger two bugs in NSS's CRL code.
-  // 1. NSS may use one key to verify a CRL signed with another key,
-  //    incorrectly concluding that the CRL's signature is invalid.
-  //    Hopefully this bug will be fixed in NSS 3.12.9.
-  // 2. NSS considers all certificates issued by the CA as revoked when it
-  //    receives a CRL with an invalid signature.  This overly strict policy
-  //    has been relaxed in NSS 3.12.7.  See
-  //    https://bugzilla.mozilla.org/show_bug.cgi?id=562542.
-  // So we have to turn off CRL checking for these CAs.  See
-  // http://crbug.com/55695.
-  static const char* const kMultipleKeyCA[] = {
-    "CN=Microsoft Secure Server Authority,"
-    "DC=redmond,DC=corp,DC=microsoft,DC=com",
-    "CN=Microsoft Secure Server Authority",
-  };
-
-  if (!NSS_VersionCheck("3.12.7")) {
-    for (size_t i = 0; i < arraysize(kMultipleKeyCA); ++i) {
-      if (strcmp(cert_handle->issuerName, kMultipleKeyCA[i]) == 0) {
-        use_crl = false;
-        break;
-      }
-    }
-  }
-
   PRUint64 revocation_method_flags =
       CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD |
       CERT_REV_M_ALLOW_NETWORK_FETCHING |
author	rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-08-07 22:57:00 +0000
committer	rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-08-07 22:57:00 +0000
commit	805acdc8862c0a843f3a27d0ee15d6279a4f3c92 (patch)
tree	f38cce5c4dd91c0559662c96ee43a2e28104aaa4 /net/cert/cert_verify_proc_nss.cc
parent	2901975cc78133241b9f46a9a758bbf0506d4362 (diff)
download	chromium_src-805acdc8862c0a843f3a27d0ee15d6279a4f3c92.zip chromium_src-805acdc8862c0a843f3a27d0ee15d6279a4f3c92.tar.gz chromium_src-805acdc8862c0a843f3a27d0ee15d6279a4f3c92.tar.bz2