Pass the SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT flag

to AcquireCredentialsHandle to cause the TLS certificate
status request extension (commonly known as OCSP stapling)
to be sent on Windows Vista or later.  I don't know if this
is all we need to do to enable OCSP stapling though.

R=hawk
BUG=26013
TEST=none
Review URL: http://codereview.chromium.org/329042

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@30407 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 10 insertions, 1 deletions

diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc
index 40c8ede..c0761b2 100644
--- a/net/socket/ssl_client_socket_win.cc
+++ b/net/socket/ssl_client_socket_win.cc
@@ -192,13 +192,22 @@ void CredHandleTable::InitializeHandle(CredHandle* handle,
   //    and expired certificate errors.  There are only flags to ignore the
   //    name mismatch and unable-to-check-revocation errors.
   //
+  // We specify SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT to cause the TLS
+  // certificate status request extension (commonly known as OCSP stapling)
+  // to be sent on Vista or later.  This flag matches the
+  // CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT flag that we pass to the
+  // CertGetCertificateChain calls.  Note: we specify this flag even when
+  // revocation checking is disabled to avoid doubling the number of
+  // credentials handles we need to acquire.
+  //
   // TODO(wtc): Look into undocumented or poorly documented flags:
   //   SCH_CRED_RESTRICTED_ROOTS
   //   SCH_CRED_REVOCATION_CHECK_CACHE_ONLY
   //   SCH_CRED_CACHE_ONLY_URL_RETRIEVAL
   //   SCH_CRED_MEMORY_STORE_CERT
   schannel_cred.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS |
-                           SCH_CRED_MANUAL_CRED_VALIDATION;
+                           SCH_CRED_MANUAL_CRED_VALIDATION |
+                           SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
   TimeStamp expiry;
   SECURITY_STATUS status;