diff options
| author | rch@chromium.org <rch@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-01-12 18:53:08 +0000 |
|---|---|---|
| committer | rch@chromium.org <rch@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-01-12 18:53:08 +0000 |
| commit | 5396b2f1e7640de4f27153605d1ade4d0ea019ab (patch) | |
| tree | cdcce7ae12918c44d5eb1a6ef6f1f1de9bcc8d81 /net/http/http_stream_request.cc | |
| parent | bc8262e667789f9e4beec4afa01ff40f9fa128fb (diff) | |
| download | chromium_src-5396b2f1e7640de4f27153605d1ade4d0ea019ab.zip chromium_src-5396b2f1e7640de4f27153605d1ade4d0ea019ab.tar.gz chromium_src-5396b2f1e7640de4f27153605d1ade4d0ea019ab.tar.bz2 | |
Merge 71071 - net: Ensure that when using False Start + client auth, bad client certificates are not cached.
If an SSL handshake fails when client certificates are used, ensure that
the client certificate selected is removed from the SSL client auth
cache. This ensures that the user is prompted to select a certificate
again, as the cause of the failure may have been due to selecting the
wrong certificate or selecting no certificate when one is required.
The existing logic worked when TLS False Start was disabled, but could
fail when False Start was used or when the peer requests renegotiation.
This changes ensures the client certificate is removed from the cache by
moving the cache removal layer from the HttpStreamRequest to the
HttpNetworkTransaction.
Patch by: Ryan Sleevi
BUG=66424
TEST=HttpNetworkTransactionTest.ClientAuthCertCache*
TBR=agl@chromium.org
Review URL: http://codereview.chromium.org/6199006
git-svn-id: svn://svn.chromium.org/chrome/branches/597/src@71200 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/http/http_stream_request.cc')
| -rw-r--r-- | net/http/http_stream_request.cc | 31 |
1 files changed, 1 insertions, 30 deletions
diff --git a/net/http/http_stream_request.cc b/net/http/http_stream_request.cc index 6f0a39e9..d3163c4 100644 --- a/net/http/http_stream_request.cc +++ b/net/http/http_stream_request.cc @@ -701,7 +701,7 @@ int HttpStreamRequest::DoInitConnectionComplete(int result) { } } if (result < 0) - return HandleSSLHandshakeError(result); + return result; } next_state_ = STATE_CREATE_STREAM; @@ -982,35 +982,6 @@ int HttpStreamRequest::HandleCertificateError(int error) { return error; } -int HttpStreamRequest::HandleSSLHandshakeError(int error) { - if (ssl_config()->send_client_cert && - (error == ERR_SSL_PROTOCOL_ERROR || - error == ERR_BAD_SSL_CLIENT_AUTH_CERT)) { - session_->ssl_client_auth_cache()->Remove( - GetHostAndPort(request_info().url)); - } - - switch (error) { - case ERR_SSL_PROTOCOL_ERROR: - case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: - case ERR_SSL_DECOMPRESSION_FAILURE_ALERT: - case ERR_SSL_BAD_RECORD_MAC_ALERT: - if (ssl_config()->tls1_enabled && - !SSLConfigService::IsKnownStrictTLSServer( - request_info().url.host())) { - // This could be a TLS-intolerant server, an SSL 3.0 server that - // chose a TLS-only cipher suite or a server with buggy DEFLATE - // support. Turn off TLS 1.0, DEFLATE support and retry. - factory_->AddTLSIntolerantServer(request_info().url); - next_state_ = STATE_INIT_CONNECTION; - DCHECK(!connection_.get() || !connection_->socket()); - error = OK; - } - break; - } - return error; -} - void HttpStreamRequest::SwitchToSpdyMode() { if (HttpStreamFactory::spdy_enabled()) using_spdy_ = true; |