diff options
| -rw-r--r-- | chrome/renderer/chrome_render_process_observer.cc | 7 | ||||
| -rw-r--r-- | net/ocsp/nss_ocsp.cc | 21 | ||||
| -rw-r--r-- | net/ocsp/nss_ocsp.h | 7 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 10 | ||||
| -rw-r--r-- | net/socket/ssl_server_socket_nss.cc | 6 | ||||
| -rw-r--r-- | remoting/protocol/jingle_stream_connector.cc | 5 |
6 files changed, 14 insertions, 42 deletions
diff --git a/chrome/renderer/chrome_render_process_observer.cc b/chrome/renderer/chrome_render_process_observer.cc index 87ecba4..0b69092 100644 --- a/chrome/renderer/chrome_render_process_observer.cc +++ b/chrome/renderer/chrome_render_process_observer.cc @@ -31,7 +31,6 @@ #include "media/base/media_switches.h" #include "net/base/net_errors.h" #include "net/base/net_module.h" -#include "net/ocsp/nss_ocsp.h" #include "third_party/sqlite/sqlite3.h" #include "third_party/tcmalloc/chromium/src/google/malloc_extension.h" #include "third_party/tcmalloc/chromium/src/google/heap-profiler.h" @@ -377,12 +376,6 @@ ChromeRenderProcessObserver::ChromeRenderProcessObserver( crypto::DisableNSSForkCheck(); crypto::ForceNSSNoDBInit(); crypto::EnsureNSSInit(); - - // Disable OCSP. OCSP needs to make HTTP requests, and currently - // it doesn't work in sandbox. SSL is used in renderer process - // only for peer-to-peer connections with self-signed certs. OCSP - // is not useful in this case, thus it is safe to disable it. - net::DisableOCSP(); } #elif defined(OS_WIN) // crypt32.dll is used to decode X509 certificates for Chromoting. diff --git a/net/ocsp/nss_ocsp.cc b/net/ocsp/nss_ocsp.cc index ccff919..ec24107 100644 --- a/net/ocsp/nss_ocsp.cc +++ b/net/ocsp/nss_ocsp.cc @@ -41,8 +41,6 @@ namespace { pthread_mutex_t g_request_context_lock = PTHREAD_MUTEX_INITIALIZER; static net::URLRequestContext* g_request_context = NULL; -static bool g_disable_ocsp = false; - class OCSPRequestSession; class OCSPIOLoop { @@ -911,9 +909,6 @@ char* GetAlternateOCSPAIAInfo(CERTCertificate *cert) { namespace net { void SetMessageLoopForOCSP() { - // Must not be called when OCSP is disabled. - DCHECK(!g_disable_ocsp); - // Must have a MessageLoopForIO. DCHECK(MessageLoopForIO::current()); @@ -923,27 +918,17 @@ void SetMessageLoopForOCSP() { DCHECK(!used); } -void DisableOCSP() { - g_disable_ocsp = true; -} - void EnsureOCSPInit() { - if (!g_disable_ocsp) { - g_ocsp_io_loop.Get().StartUsing(); - g_ocsp_nss_initialization.Get(); - } + g_ocsp_io_loop.Get().StartUsing(); + g_ocsp_nss_initialization.Get(); } void ShutdownOCSP() { - if (!g_disable_ocsp) - g_ocsp_io_loop.Get().Shutdown(); + g_ocsp_io_loop.Get().Shutdown(); } // This function would be called before NSS initialization. void SetURLRequestContextForOCSP(URLRequestContext* request_context) { - // Must not be called when OCSP is disabled. - DCHECK(!g_disable_ocsp); - pthread_mutex_lock(&g_request_context_lock); if (request_context) { DCHECK(!g_request_context); diff --git a/net/ocsp/nss_ocsp.h b/net/ocsp/nss_ocsp.h index 93d07ce..bf67751 100644 --- a/net/ocsp/nss_ocsp.h +++ b/net/ocsp/nss_ocsp.h @@ -17,13 +17,6 @@ class URLRequestContext; // control the message loop for OCSP. NET_EXPORT void SetMessageLoopForOCSP(); -// Disables OCSP for the current process. This is needed to run SSL -// code in the renderer process. After this method is called all -// calls to EnsureOCSPInit() and ShutdownOCSP() are ignored. When -// OCSP is disabled SetMessageLoopForOCSP() and -// SetURLRequestContextForOCSP() are useless and should not be called. -NET_EXPORT void DisableOCSP(); - // Initializes OCSP handlers for NSS. This must be called before any // certificate verification functions. This function is thread-safe, and OCSP // handlers will only ever be initialized once. ShutdownOCSP() must be called diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 5380a9a..4fdecc9 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -838,10 +838,12 @@ int SSLClientSocketNSS::Init() { if (!NSS_IsInitialized()) return ERR_UNEXPECTED; #if !defined(OS_MACOSX) && !defined(OS_WIN) - // We must call EnsureOCSPInit() here, on the IO thread, to get the IO loop - // by MessageLoopForIO::current(). - // X509Certificate::Verify() runs on a worker thread of CertVerifier. - EnsureOCSPInit(); + if (ssl_config_.rev_checking_enabled) { + // We must call EnsureOCSPInit() here, on the IO thread, to get the IO loop + // by MessageLoopForIO::current(). + // X509Certificate::Verify() runs on a worker thread of CertVerifier. + EnsureOCSPInit(); + } #endif LeaveFunction(""); diff --git a/net/socket/ssl_server_socket_nss.cc b/net/socket/ssl_server_socket_nss.cc index 08d84b9..78410f8 100644 --- a/net/socket/ssl_server_socket_nss.cc +++ b/net/socket/ssl_server_socket_nss.cc @@ -762,12 +762,6 @@ int SSLServerSocketNSS::Init() { EnsureNSSSSLInit(); if (!NSS_IsInitialized()) return ERR_UNEXPECTED; -#if !defined(OS_MACOSX) && !defined(OS_WIN) - // We must call EnsureOCSPInit() here, on the IO thread, to get the IO loop - // by MessageLoopForIO::current(). - // X509Certificate::Verify() runs on a worker thread of CertVerifier. - EnsureOCSPInit(); -#endif return OK; } diff --git a/remoting/protocol/jingle_stream_connector.cc b/remoting/protocol/jingle_stream_connector.cc index 57e0fcd..f953a54 100644 --- a/remoting/protocol/jingle_stream_connector.cc +++ b/remoting/protocol/jingle_stream_connector.cc @@ -44,6 +44,11 @@ net::SSLClientSocket* CreateSSLClientSocket( cert_and_status.der_cert = der_cert; ssl_config.allowed_bad_certs.push_back(cert_and_status); + // Revocation checking is not needed because we use self-signed + // certs. Disable it so that SSL layer doesn't try to initialize + // OCSP (OCSP works only on IO thread). + ssl_config.rev_checking_enabled = false; + // SSLClientSocket takes ownership of the adapter. net::HostPortPair host_and_port( ContentDescription::kChromotingContentName, 0); |