Don't use NSS databases for non-essential purposes, such as remembering

the intermediate CA certificates we see, because NSS's connections to the SQLite databases go bad if the file system where the databases reside is gone, even just transiently. Add the hostname to the error log message for CERT_PKIXVerifyCert failure. R=eroman,ukai BUG=15630 TEST=existing unit tests should pass. Review URL: http://codereview.chromium.org/214028 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26714 0039d316-1c4b-4281-b951-d872f2087c98
author: wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2009-09-21 19:27:36 +0000
committer: wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2009-09-21 19:27:36 +0000
commit: 52f3fad3ed3ad8ccca2026dc253474bb531737d7 (patch)
tree: c6c8e917a16396e1f88628b4caf08e34f3f9619f /net/socket/ssl_client_socket_nss.cc
parent: 01fd08314ba10fc4c79666d2c2b66dcba51d15ee (diff)
download: chromium_src-52f3fad3ed3ad8ccca2026dc253474bb531737d7.zip
chromium_src-52f3fad3ed3ad8ccca2026dc253474bb531737d7.tar.gz
chromium_src-52f3fad3ed3ad8ccca2026dc253474bb531737d7.tar.bz2
1 files changed, 12 insertions, 9 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 1f35728..05549da 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -755,6 +755,16 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
 
   if (result == OK) {
     // Remember the intermediate CA certs if the server sends them to us.
+    //
+    // We used to remember the intermediate CA certs in the NSS database
+    // persistently.  However, NSS opens a connection to the SQLite database
+    // during NSS initialization and doesn't close the connection until NSS
+    // shuts down.  If the file system where the database resides is gone,
+    // the database connection goes bad.  What's worse, the connection won't
+    // recover when the file system comes back.  Until this NSS or SQLite bug
+    // is fixed, we need to  avoid using the NSS database for non-essential
+    // purposes.  See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and
+    // http://crbug.com/15630 for more info.
     CERTCertList* cert_list = CERT_GetCertChainFromCert(
         server_cert_->os_cert_handle(), PR_Now(), certUsageSSLCA);
     if (cert_list) {
@@ -772,15 +782,8 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
         }
 
         // We have found a CA cert that we want to remember.
-        std::string nickname(GetDefaultCertNickname(node->cert));
-        if (!nickname.empty()) {
-          PK11SlotInfo* slot = PK11_GetInternalKeySlot();
-          if (slot) {
-            PK11_ImportCert(slot, node->cert, CK_INVALID_HANDLE,
-                            const_cast<char*>(nickname.c_str()), PR_FALSE);
-            PK11_FreeSlot(slot);
-          }
-        }
+        // TODO(wtc): Remember the intermediate CA certs in a std::set
+        // temporarily (http://crbug.com/15630).
       }
       CERT_DestroyCertList(cert_list);
     }
author	wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2009-09-21 19:27:36 +0000
committer	wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2009-09-21 19:27:36 +0000
commit	52f3fad3ed3ad8ccca2026dc253474bb531737d7 (patch)
tree	c6c8e917a16396e1f88628b4caf08e34f3f9619f /net/socket/ssl_client_socket_nss.cc
parent	01fd08314ba10fc4c79666d2c2b66dcba51d15ee (diff)
download	chromium_src-52f3fad3ed3ad8ccca2026dc253474bb531737d7.zip chromium_src-52f3fad3ed3ad8ccca2026dc253474bb531737d7.tar.gz chromium_src-52f3fad3ed3ad8ccca2026dc253474bb531737d7.tar.bz2