SSLClientSocketNSS::ClientAuthHandler should return SECWouldBlock

instead of SECFailure when we want to abort the handshake, because
SECWouldBlock causes NSS to suspend the client authentication,
whereas SECFailure causes NSS to continue the handshake with an
empty certificate (in TLS) or no_certificate alert (in SSL 3.0).

R=agl
BUG=16830
TEST=SSL client authentication on Linux should still work.
Review URL: http://codereview.chromium.org/669198

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40785 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 2 deletions

diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 52dc09e..994f1f3 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1150,7 +1150,9 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler(
     CERT_FreeNicknames(names);
   }
 
-  return SECFailure;
+  // Tell NSS to suspend the client authentication.  We will then abort the
+  // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
+  return SECWouldBlock;
 #endif
 }
 
@@ -1286,7 +1288,7 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
   }
 
   completed_handshake_ = true;
-  // TODO(ukai): we may not need this call because it is now harmless to have an
+  // TODO(ukai): we may not need this call because it is now harmless to have a
   // session with a bad cert.
   InvalidateSessionIfBadCertificate();
   // Exit DoHandshakeLoop and return the result to the caller to Connect.