Reduce the network timeout for NSS from 60 seconds to 15 seconds

BUG=143747
TEST=On Linux, Enable revocation checking via preferences.
  Run chrome with --v=1 from behind a captive portal/firewall that
  allows SSL access to a particular host, but does not allow OCSP
  or CRL fetches, and instead blackholes them (holds the TCP
  connection open). You should see "OCSP Timed out" after 15
  seconds from when the OCSP connection started.

Review URL: https://chromiumcodereview.appspot.com/10875059

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@154105 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 12 insertions, 2 deletions

diff --git a/net/ocsp/nss_ocsp.cc b/net/ocsp/nss_ocsp.cc
index 5abdd93..a85a80d 100644
--- a/net/ocsp/nss_ocsp.cc
+++ b/net/ocsp/nss_ocsp.cc
@@ -12,6 +12,7 @@
 #include <pthread.h>
 #include <secerr.h>
 
+#include <algorithm>
 #include <string>
 
 #include "base/basictypes.h"
@@ -45,6 +46,10 @@ namespace {
 pthread_mutex_t g_request_context_lock = PTHREAD_MUTEX_INITIALIZER;
 URLRequestContext* g_request_context = NULL;
 
+// The default timeout for network fetches in NSS is 60 seconds. Choose a
+// saner upper limit for OCSP/CRL/AIA fetches.
+const int kNetworkFetchTimeoutInSecs = 15;
+
 class OCSPRequestSession;
 
 class OCSPIOLoop {
@@ -442,9 +447,14 @@ class OCSPServerSession {
         path_and_query_string));
     VLOG(1) << "URL [" << url_string << "]";
     GURL url(url_string);
-    return new OCSPRequestSession(
-        url, http_request_method,
+
+    // NSS does not expose public functions to adjust the fetch timeout when
+    // using libpkix, so hardcode the upper limit for network fetches.
+    base::TimeDelta actual_timeout = std::min(
+        base::TimeDelta::FromSeconds(kNetworkFetchTimeoutInSecs),
         base::TimeDelta::FromMilliseconds(PR_IntervalToMilliseconds(timeout)));
+
+    return new OCSPRequestSession(url, http_request_method, actual_timeout);
   }