diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-09-21 19:27:36 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-09-21 19:27:36 +0000 |
| commit | 52f3fad3ed3ad8ccca2026dc253474bb531737d7 (patch) | |
| tree | c6c8e917a16396e1f88628b4caf08e34f3f9619f /net/socket | |
| parent | 01fd08314ba10fc4c79666d2c2b66dcba51d15ee (diff) | |
| download | chromium_src-52f3fad3ed3ad8ccca2026dc253474bb531737d7.zip chromium_src-52f3fad3ed3ad8ccca2026dc253474bb531737d7.tar.gz chromium_src-52f3fad3ed3ad8ccca2026dc253474bb531737d7.tar.bz2 | |
Don't use NSS databases for non-essential purposes, such as remembering
the intermediate CA certificates we see, because NSS's connections to the
SQLite databases go bad if the file system where the databases reside is
gone, even just transiently.
Add the hostname to the error log message for CERT_PKIXVerifyCert failure.
R=eroman,ukai
BUG=15630
TEST=existing unit tests should pass.
Review URL: http://codereview.chromium.org/214028
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26714 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 1f35728..05549da 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -755,6 +755,16 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) { if (result == OK) { // Remember the intermediate CA certs if the server sends them to us. + // + // We used to remember the intermediate CA certs in the NSS database + // persistently. However, NSS opens a connection to the SQLite database + // during NSS initialization and doesn't close the connection until NSS + // shuts down. If the file system where the database resides is gone, + // the database connection goes bad. What's worse, the connection won't + // recover when the file system comes back. Until this NSS or SQLite bug + // is fixed, we need to avoid using the NSS database for non-essential + // purposes. See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and + // http://crbug.com/15630 for more info. CERTCertList* cert_list = CERT_GetCertChainFromCert( server_cert_->os_cert_handle(), PR_Now(), certUsageSSLCA); if (cert_list) { @@ -772,15 +782,8 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) { } // We have found a CA cert that we want to remember. - std::string nickname(GetDefaultCertNickname(node->cert)); - if (!nickname.empty()) { - PK11SlotInfo* slot = PK11_GetInternalKeySlot(); - if (slot) { - PK11_ImportCert(slot, node->cert, CK_INVALID_HANDLE, - const_cast<char*>(nickname.c_str()), PR_FALSE); - PK11_FreeSlot(slot); - } - } + // TODO(wtc): Remember the intermediate CA certs in a std::set + // temporarily (http://crbug.com/15630). } CERT_DestroyCertList(cert_list); } |