diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-02-18 01:45:39 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-02-18 01:45:39 +0000 |
| commit | a89eda4ea20875140967786aa5cbe33cb37c5648 (patch) | |
| tree | dec6162ba456a9a2c27585d50dcde4d2f79f7f98 /net/socket | |
| parent | 8d96d6fb98e8430d5348c3ad7dcf8e85a4dfad3d (diff) | |
| download | chromium_src-a89eda4ea20875140967786aa5cbe33cb37c5648.zip chromium_src-a89eda4ea20875140967786aa5cbe33cb37c5648.tar.gz chromium_src-a89eda4ea20875140967786aa5cbe33cb37c5648.tar.bz2 | |
SPDY: disable revocation checking.
For benchmarking we would like to pretend that we're in a world with
OCSP stapling and OCSP disk caches etc. Since we currently don't check
certificates with SPDY anyway, it's no loss if we don't check OCSP
either.
This change needs to be reverted when we start checking certificates.
Hopefully by then we'll have a better OCSP world to live in.
BUG=32020
TEST=none
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39314 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 10690ee..d6c321f 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -1182,7 +1182,21 @@ int SSLClientSocketNSS::DoVerifyCert(int result) { DCHECK(server_cert_); GotoState(STATE_VERIFY_CERT_COMPLETE); int flags = 0; - if (ssl_config_.rev_checking_enabled) + + /* Disable revocation checking for SPDY. This is a hack, but we ignore + * certificate errors for SPDY anyway so it's no loss in security. This lets + * us benchmark as if we had OCSP stapling. + * + * http://crbug.com/32020 + */ + unsigned char buf[255]; + int state; + unsigned int len; + SECStatus rv = SSL_GetNextProto(nss_fd_, &state, buf, &len, sizeof(buf)); + bool spdy = (rv == SECSuccess && state == SSL_NEXT_PROTO_NEGOTIATED && + len == 4 && memcmp(buf, "spdy", 4) == 0); + + if (ssl_config_.rev_checking_enabled && !spdy) flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; |