NSS and NPN: send NextProtocol on resume and disable NPN without SPDY.

NPN on resume was broken symmetrically between OpenSSL and NSS (which is probably why we didn't notice for so long). OpenSSL wasn't expecting the message and NSS wasn't sending it. This change sends the NextProtocol message when resuming and disables NPN when not using SPDY. The reason for the latter is that we have GFEs deployed which don't expect NextProtocol when resuming and we have to wait some time before they get replaced. Because of this, we can't have NPN enabled by default. Instead, we'll use --host-resolver-rules to redirect everything to known-good GFEs in the mean time. http://codereview.chromium.org/841003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41433 0039d316-1c4b-4281-b951-d872f2087c98
author: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-03-12 15:24:35 +0000
committer: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-03-12 15:24:35 +0000
commit: dc99ca7f7328d14d43af2fd5b8cde944c6a08054 (patch)
tree: fa1c54958bd827b27ca3dc7229cd6fbdb9e7b5cf /net
parent: 45bd241e3bc17cf6fe25b564fe5b5a248365cdd7 (diff)
download: chromium_src-dc99ca7f7328d14d43af2fd5b8cde944c6a08054.zip
chromium_src-dc99ca7f7328d14d43af2fd5b8cde944c6a08054.tar.gz
chromium_src-dc99ca7f7328d14d43af2fd5b8cde944c6a08054.tar.bz2
3 files changed, 41 insertions, 19 deletions
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
index 45c1fc6..0213f1f 100644
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -18,8 +18,7 @@ struct SSLConfig {
   // Default to SSL 2.0 off, SSL 3.0 on, and TLS 1.0 on.
   SSLConfig()
       : rev_checking_enabled(true),  ssl2_enabled(false), ssl3_enabled(true),
-        tls1_enabled(true), send_client_cert(false), verify_ev_cert(false),
-        next_protos("\007http1.1") {
+        tls1_enabled(true), send_client_cert(false), verify_ev_cert(false) {
   }
 
   bool rev_checking_enabled;  // True if server certificate revocation
diff --git a/net/third_party/nss/patches/nextproto.patch b/net/third_party/nss/patches/nextproto.patch
index dbca92a..837295e 100644
--- a/net/third_party/nss/patches/nextproto.patch
+++ b/net/third_party/nss/patches/nextproto.patch
@@ -1,5 +1,5 @@
 diff --git a/mozilla/security/nss/cmd/tstclnt/tstclnt.c b/mozilla/security/nss/cmd/tstclnt/tstclnt.c
-index f0b5701..e795b33 100644
+index c15a0ad..b6210bf 100644
 --- a/mozilla/security/nss/cmd/tstclnt/tstclnt.c
 +++ b/mozilla/security/nss/cmd/tstclnt/tstclnt.c
 @@ -863,7 +863,13 @@ int main(int argc, char **argv)
@@ -18,10 +18,10 @@ index f0b5701..e795b33 100644
  
      SSL_AuthCertificateHook(s, SSL_AuthCertificate, (void *)handle);
 diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl/ssl.def
-index a5b2767..287505f 100644
+index d3f455c..a1f4b51 100644
 --- a/mozilla/security/nss/lib/ssl/ssl.def
 +++ b/mozilla/security/nss/lib/ssl/ssl.def
-@@ -150,3 +150,10 @@ SSL_SNISocketConfigHook;
+@@ -152,3 +152,10 @@ SSL_SNISocketConfigHook;
  ;+    local:
  ;+*;
  ;+};
@@ -33,10 +33,10 @@ index a5b2767..287505f 100644
 +;+*;
 +;+};
 diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h
-index d0b5aa7..5b572b2 100644
+index d60a73c..00c250b 100644
 --- a/mozilla/security/nss/lib/ssl/ssl.h
 +++ b/mozilla/security/nss/lib/ssl/ssl.h
-@@ -136,6 +136,18 @@ SSL_IMPORT SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on);
+@@ -142,6 +142,18 @@ SSL_IMPORT SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on);
  SSL_IMPORT SECStatus SSL_OptionGetDefault(PRInt32 option, PRBool *on);
  SSL_IMPORT SECStatus SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle);
  
@@ -56,7 +56,7 @@ index d0b5aa7..5b572b2 100644
  ** Control ciphers that SSL uses. If on is non-zero then the named cipher
  ** is enabled, otherwise it is disabled. 
 diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
-index 6b37c4f..545e51e 100644
+index 083248d..5c14672 100644
 --- a/mozilla/security/nss/lib/ssl/ssl3con.c
 +++ b/mozilla/security/nss/lib/ssl/ssl3con.c
 @@ -81,6 +81,7 @@ static SECStatus ssl3_InitState(             sslSocket *ss);
@@ -121,7 +121,22 @@ index 6b37c4f..545e51e 100644
   *             ssl3_HandleClientHello
   *             ssl3_HandleFinished
   */
-@@ -9457,6 +9498,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+@@ -8390,6 +8431,14 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
+ 	if (doStepUp || ss->writerThread == PR_GetCurrentThread()) {
+ 	    flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
+ 	}
++
++	if (!isServer) {
++	    rv = ssl3_SendNextProto(ss);
++	    if (rv != SECSuccess) {
++		goto xmit_loser;	/* err code was set. */
++	    }
++	}
++
+ 	rv = ssl3_SendFinished(ss, flags);
+ 	if (rv != SECSuccess) {
+ 	    goto xmit_loser;	/* err is set. */
+@@ -9455,6 +9504,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
      ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
  
      ss->ssl3.initialized = PR_FALSE;
@@ -134,7 +149,7 @@ index 6b37c4f..545e51e 100644
  
  /* End of ssl3con.c */
 diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c
-index fd0d9b9..4269028 100644
+index ac2b067..04f45a4 100644
 --- a/mozilla/security/nss/lib/ssl/ssl3ext.c
 +++ b/mozilla/security/nss/lib/ssl/ssl3ext.c
 @@ -235,6 +235,7 @@ static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
@@ -272,8 +287,8 @@ index fd0d9b9..4269028 100644
 +	rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
 +	if (rv != SECSuccess)
 +	    goto loser;
-+	TLSExtensionData *xtnData = &ss->xtnData;
-+	xtnData->advertised[xtnData->numAdvertised++] = ssl_next_proto_neg_xtn;
++	ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
++		ssl_next_proto_neg_xtn;
 +    } else if (maxBytes < extension_length) {
 +	return 0;
 +    }
@@ -302,10 +317,10 @@ index 0fc1675..c82c891 100644
  
  typedef struct {
 diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h
-index ea36cfb..0ec579d 100644
+index 7581b98..0658d2c 100644
 --- a/mozilla/security/nss/lib/ssl/sslimpl.h
 +++ b/mozilla/security/nss/lib/ssl/sslimpl.h
-@@ -317,6 +317,11 @@ typedef struct {
+@@ -313,6 +313,11 @@ typedef struct {
  #endif /* NSS_ENABLE_ECC */
  
  typedef struct sslOptionsStr {
@@ -317,7 +332,7 @@ index ea36cfb..0ec579d 100644
      unsigned int useSecurity		: 1;  /*  1 */
      unsigned int useSocks		: 1;  /*  2 */
      unsigned int requestCertificate	: 1;  /*  3 */
-@@ -789,6 +794,7 @@ const ssl3CipherSuiteDef *suite_def;
+@@ -785,6 +790,7 @@ const ssl3CipherSuiteDef *suite_def;
  #ifdef NSS_ENABLE_ECC
      PRUint32              negotiatedECCurves; /* bit mask */
  #endif /* NSS_ENABLE_ECC */
@@ -325,7 +340,7 @@ index ea36cfb..0ec579d 100644
  } SSL3HandshakeState;
  
  
-@@ -830,6 +836,16 @@ struct ssl3StateStr {
+@@ -826,6 +832,16 @@ struct ssl3StateStr {
      PRBool               initialized;
      SSL3HandshakeState   hs;
      ssl3CipherSpec       specs[2];	/* one is current, one is pending. */
@@ -342,7 +357,7 @@ index ea36cfb..0ec579d 100644
  };
  
  typedef struct {
-@@ -1495,8 +1511,12 @@ extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket * ss,
+@@ -1491,8 +1507,12 @@ extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket * ss,
  			PRUint16 ex_type, SECItem *data);
  extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
  			PRUint16 ex_type, SECItem *data);
@@ -355,7 +370,7 @@ index ea36cfb..0ec579d 100644
  
  /* ClientHello and ServerHello extension senders.
   * Note that not all extension senders are exposed here; only those that
-@@ -1527,6 +1547,10 @@ extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss,
+@@ -1523,6 +1543,10 @@ extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss,
  extern PRInt32 ssl3_SendSupportedPointFormatsXtn(sslSocket *ss,
  			PRBool append, PRUint32 maxBytes);
  #endif
@@ -367,7 +382,7 @@ index ea36cfb..0ec579d 100644
  /* call the registered extension handlers. */
  extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss, 
 diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c
-index aab48d6..2ff2992 100644
+index f1d1921..6536354 100644
 --- a/mozilla/security/nss/lib/ssl/sslsock.c
 +++ b/mozilla/security/nss/lib/ssl/sslsock.c
 @@ -163,6 +163,7 @@ static const sslSocketOps ssl_secure_ops = {	/* SSL. */
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index d2227a6..45bf853 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -8447,6 +8447,14 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
 	if (doStepUp || ss->writerThread == PR_GetCurrentThread()) {
 	    flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
 	}
+
+	if (!isServer) {
+	    rv = ssl3_SendNextProto(ss);
+	    if (rv != SECSuccess) {
+		goto xmit_loser;        /* err code was set. */
+	    }
+	}
+
 	rv = ssl3_SendFinished(ss, flags);
 	if (rv != SECSuccess) {
 	    goto xmit_loser;	/* err is set. */
author	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-03-12 15:24:35 +0000
committer	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-03-12 15:24:35 +0000
commit	dc99ca7f7328d14d43af2fd5b8cde944c6a08054 (patch)
tree	fa1c54958bd827b27ca3dc7229cd6fbdb9e7b5cf /net
parent	45bd241e3bc17cf6fe25b564fe5b5a248365cdd7 (diff)
download	chromium_src-dc99ca7f7328d14d43af2fd5b8cde944c6a08054.zip chromium_src-dc99ca7f7328d14d43af2fd5b8cde944c6a08054.tar.gz chromium_src-dc99ca7f7328d14d43af2fd5b8cde944c6a08054.tar.bz2