diff options
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/ssl_config_service.cc | 13 | ||||
| -rw-r--r-- | net/base/ssl_config_service.h | 6 | ||||
| -rw-r--r-- | net/net.gyp | 4 | ||||
| -rw-r--r-- | net/socket/client_socket_factory.cc | 17 | ||||
| -rw-r--r-- | net/socket/client_socket_factory.h | 7 | ||||
| -rw-r--r-- | net/socket/client_socket_pool_base_unittest.cc | 3 | ||||
| -rw-r--r-- | net/socket/dns_cert_provenance_check.cc | 111 | ||||
| -rw-r--r-- | net/socket/dns_cert_provenance_check.h | 26 | ||||
| -rw-r--r-- | net/socket/socket_test_util.cc | 6 | ||||
| -rw-r--r-- | net/socket/socket_test_util.h | 6 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_mac_factory.cc | 3 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_mac_factory.h | 4 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 36 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.h | 5 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss_factory.cc | 5 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss_factory.h | 4 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_pool.cc | 3 | ||||
| -rw-r--r-- | net/socket/tcp_client_socket_pool_unittest.cc | 3 |
18 files changed, 231 insertions, 31 deletions
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc index 46fce20..cdfa4d3 100644 --- a/net/base/ssl_config_service.cc +++ b/net/base/ssl_config_service.cc @@ -95,6 +95,7 @@ static bool g_dnssec_enabled = false; static bool g_false_start_enabled = true; static bool g_mitm_proxies_allowed = false; static bool g_snap_start_enabled = false; +static bool g_dns_cert_provenance_checking = false; // static void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) { @@ -102,6 +103,8 @@ void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) { ssl_config->false_start_enabled = g_false_start_enabled; ssl_config->mitm_proxies_allowed = g_mitm_proxies_allowed; ssl_config->snap_start_enabled = g_snap_start_enabled; + ssl_config->dns_cert_provenance_checking_enabled = + g_dns_cert_provenance_checking; } // static @@ -144,6 +147,16 @@ bool SSLConfigService::mitm_proxies_allowed() { return g_mitm_proxies_allowed; } +// static +void SSLConfigService::EnableDNSCertProvenanceChecking() { + g_dns_cert_provenance_checking = true; +} + +// static +bool SSLConfigService::dns_cert_provenance_checking_enabled() { + return g_dns_cert_provenance_checking; +} + void SSLConfigService::AddObserver(Observer* observer) { observer_list_.AddObserver(observer); } diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index 0ab88b2..be50097 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -28,6 +28,8 @@ struct SSLConfig { bool tls1_enabled; // True if TLS 1.0 is enabled. bool dnssec_enabled; // True if we'll accept DNSSEC chains in certificates. bool snap_start_enabled; // True if we'll try Snap Start handshakes. + // True if we'll do async checks for certificate provenance using DNS. + bool dns_cert_provenance_checking_enabled; // True if we allow this connection to be MITM attacked. This sounds a little // worse than it is: large networks sometimes MITM attack all SSL connections @@ -144,6 +146,10 @@ class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> { // True if we use False Start for SSL and TLS. static bool false_start_enabled(); + // Enables DNS side checks for certificates. + static void EnableDNSCertProvenanceChecking(); + static bool dns_cert_provenance_checking_enabled(); + // Add an observer of this service. void AddObserver(Observer* observer); diff --git a/net/net.gyp b/net/net.gyp index 44a9f67..083aac4b 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -586,6 +586,8 @@ 'socket/client_socket_pool_histograms.h', 'socket/client_socket_pool_manager.cc', 'socket/client_socket_pool_manager.h', + 'socket/dns_cert_provenance_check.cc', + 'socket/dns_cert_provenance_check.h', 'socket/socket.h', 'socket/socks5_client_socket.cc', 'socket/socks5_client_socket.h', @@ -720,6 +722,8 @@ }], ['use_openssl==1', { 'sources!': [ + 'socket/dns_cert_provenance_check.cc', + 'socket/dns_cert_provenance_check.h', 'socket/ssl_client_socket_nss.cc', 'socket/ssl_client_socket_nss.h', 'socket/ssl_client_socket_nss_factory.cc', diff --git a/net/socket/client_socket_factory.cc b/net/socket/client_socket_factory.cc index 9a7decf..f524743 100644 --- a/net/socket/client_socket_factory.cc +++ b/net/socket/client_socket_factory.cc @@ -21,13 +21,16 @@ namespace net { +class DnsRRResolver; + namespace { SSLClientSocket* DefaultSSLClientSocketFactory( ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info) { + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver) { scoped_ptr<SSLHostInfo> shi(ssl_host_info); #if defined(OS_WIN) return new SSLClientSocketWin(transport_socket, hostname, ssl_config); @@ -35,10 +38,10 @@ SSLClientSocket* DefaultSSLClientSocketFactory( return new SSLClientSocketOpenSSL(transport_socket, hostname, ssl_config); #elif defined(USE_NSS) return new SSLClientSocketNSS(transport_socket, hostname, ssl_config, - shi.release()); + shi.release(), dnsrr_resolver); #elif defined(OS_MACOSX) return new SSLClientSocketNSS(transport_socket, hostname, ssl_config, - shi.release()); + shi.release(), dnsrr_resolver); #else NOTIMPLEMENTED(); return NULL; @@ -60,8 +63,10 @@ class DefaultClientSocketFactory : public ClientSocketFactory { ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info) { - return g_ssl_factory(transport_socket, hostname, ssl_config, ssl_host_info); + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver) { + return g_ssl_factory(transport_socket, hostname, ssl_config, ssl_host_info, + dnsrr_resolver); } }; @@ -87,7 +92,7 @@ SSLClientSocket* ClientSocketFactory::CreateSSLClientSocket( ClientSocketHandle* socket_handle = new ClientSocketHandle(); socket_handle->set_socket(transport_socket); return CreateSSLClientSocket(socket_handle, hostname, ssl_config, - ssl_host_info); + ssl_host_info, NULL /* DnsRRResolver */); } } // namespace net diff --git a/net/socket/client_socket_factory.h b/net/socket/client_socket_factory.h index ad2cc54..4814b9c 100644 --- a/net/socket/client_socket_factory.h +++ b/net/socket/client_socket_factory.h @@ -15,6 +15,7 @@ namespace net { class AddressList; class ClientSocket; class ClientSocketHandle; +class DnsRRResolver; class SSLClientSocket; struct SSLConfig; class SSLHostInfo; @@ -24,7 +25,8 @@ typedef SSLClientSocket* (*SSLClientSocketFactory)( ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info); + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver); // An interface used to instantiate ClientSocket objects. Used to facilitate // testing code with mock socket implementations. @@ -43,7 +45,8 @@ class ClientSocketFactory { ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info) = 0; + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver) = 0; // Deprecated function (http://crbug.com/37810) that takes a ClientSocket. virtual SSLClientSocket* CreateSSLClientSocket(ClientSocket* transport_socket, diff --git a/net/socket/client_socket_pool_base_unittest.cc b/net/socket/client_socket_pool_base_unittest.cc index 7cf35e3..7b83162 100644 --- a/net/socket/client_socket_pool_base_unittest.cc +++ b/net/socket/client_socket_pool_base_unittest.cc @@ -109,7 +109,8 @@ class MockClientSocketFactory : public ClientSocketFactory { ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info) { + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver) { NOTIMPLEMENTED(); delete ssl_host_info; return NULL; diff --git a/net/socket/dns_cert_provenance_check.cc b/net/socket/dns_cert_provenance_check.cc new file mode 100644 index 0000000..e83cb5e --- /dev/null +++ b/net/socket/dns_cert_provenance_check.cc @@ -0,0 +1,111 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/socket/dns_cert_provenance_check.h" + +#include <nspr.h> +#include <hasht.h> +#include <sechash.h> + +#include <string> + +#include "base/non_thread_safe.h" +#include "net/base/completion_callback.h" +#include "net/base/dns_util.h" +#include "net/base/dnsrr_resolver.h" +#include "net/base/net_log.h" +#include "net/base/net_errors.h" + +namespace net { + +namespace { + +class DNSCertProvenanceChecker : public NonThreadSafe { + public: + DNSCertProvenanceChecker(const std::string hostname, + DnsRRResolver* dnsrr_resolver, + const std::vector<base::StringPiece>& der_certs) + : hostname_(hostname), + dnsrr_resolver_(dnsrr_resolver), + der_certs_(der_certs.size()), + handle_(DnsRRResolver::kInvalidHandle), + ALLOW_THIS_IN_INITIALIZER_LIST(callback_( + this, &DNSCertProvenanceChecker::ResolutionComplete)) { + for (size_t i = 0; i < der_certs.size(); i++) + der_certs_[i] = der_certs[i].as_string(); + } + + void Start() { + DCHECK(CalledOnValidThread()); + + if (der_certs_.empty()) + return; + + uint8 fingerprint[SHA1_LENGTH]; + SECStatus rv = HASH_HashBuf( + HASH_AlgSHA1, fingerprint, (uint8*) der_certs_[0].data(), + der_certs_[0].size()); + DCHECK_EQ(SECSuccess, rv); + char fingerprint_hex[SHA1_LENGTH * 2 + 1]; + for (unsigned i = 0; i < sizeof(fingerprint); i++) { + static const char hextable[] = "0123456789abcdef"; + fingerprint_hex[i*2] = hextable[fingerprint[i] >> 4]; + fingerprint_hex[i*2 + 1] = hextable[fingerprint[i] & 15]; + } + fingerprint_hex[SHA1_LENGTH * 2] = 0; + + static const char kBaseCertName[] = ".certs.links.org"; + domain_.assign(fingerprint_hex); + domain_.append(kBaseCertName); + + handle_ = dnsrr_resolver_->Resolve( + domain_, kDNS_TXT, 0 /* flags */, &callback_, &response_, + 0 /* priority */, BoundNetLog()); + if (handle_ == DnsRRResolver::kInvalidHandle) { + LOG(ERROR) << "Failed to resolve " << domain_ << " for " << hostname_; + delete this; + } + } + + private: + void ResolutionComplete(int status) { + DCHECK(CalledOnValidThread()); + + if (status == ERR_NAME_NOT_RESOLVED || + (status == OK && response_.rrdatas.empty())) { + LOG(ERROR) << "FAILED" + << " hostname:" << hostname_ + << " domain:" << domain_; + } else if (status == OK) { + LOG(ERROR) << "GOOD" + << " hostname:" << hostname_ + << " resp:" << response_.rrdatas[0]; + } else { + LOG(ERROR) << "Unknown error " << status << " for " << domain_; + } + + delete this; + } + + const std::string hostname_; + std::string domain_; + DnsRRResolver* const dnsrr_resolver_; + std::vector<std::string> der_certs_; + RRResponse response_; + DnsRRResolver::Handle handle_; + CompletionCallbackImpl<DNSCertProvenanceChecker> callback_; +}; + +} // anonymous namespace + +void DoAsyncDNSCertProvenanceVerification( + const std::string& hostname, + DnsRRResolver* dnsrr_resolver, + const std::vector<base::StringPiece>& der_certs) { + DNSCertProvenanceChecker* c(new DNSCertProvenanceChecker( + hostname, dnsrr_resolver, der_certs)); + c->Start(); +} + +} // namespace net diff --git a/net/socket/dns_cert_provenance_check.h b/net/socket/dns_cert_provenance_check.h new file mode 100644 index 0000000..289cccf --- /dev/null +++ b/net/socket/dns_cert_provenance_check.h @@ -0,0 +1,26 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H +#define NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H + +#include <string> +#include <vector> + +#include "base/string_piece.h" + +namespace net { + +class DnsRRResolver; + +// DoAsyncDNSCertProvenanceVerification starts an asynchronous check for the +// given certificate chain. It must be run on the network thread. +void DoAsyncDNSCertProvenanceVerification( + const std::string& hostname, + DnsRRResolver* dnsrr_resolver, + const std::vector<base::StringPiece>& der_certs); + +} // namespace net + +#endif // NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H diff --git a/net/socket/socket_test_util.cc b/net/socket/socket_test_util.cc index afffe26..57aef05 100644 --- a/net/socket/socket_test_util.cc +++ b/net/socket/socket_test_util.cc @@ -1015,7 +1015,8 @@ SSLClientSocket* MockClientSocketFactory::CreateSSLClientSocket( ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info) { + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver) { MockSSLClientSocket* socket = new MockSSLClientSocket(transport_socket, hostname, ssl_config, ssl_host_info, mock_ssl_data_.GetNext()); @@ -1064,7 +1065,8 @@ SSLClientSocket* DeterministicMockClientSocketFactory::CreateSSLClientSocket( ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info) { + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver) { MockSSLClientSocket* socket = new MockSSLClientSocket(transport_socket, hostname, ssl_config, ssl_host_info, mock_ssl_data_.GetNext()); diff --git a/net/socket/socket_test_util.h b/net/socket/socket_test_util.h index d96087c..349013e 100644 --- a/net/socket/socket_test_util.h +++ b/net/socket/socket_test_util.h @@ -534,7 +534,8 @@ class MockClientSocketFactory : public ClientSocketFactory { ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info); + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver); SocketDataProviderArray<SocketDataProvider>& mock_data() { return mock_data_; } @@ -878,7 +879,8 @@ class DeterministicMockClientSocketFactory : public ClientSocketFactory { ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info); + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver); SocketDataProviderArray<DeterministicSocketData>& mock_data() { return mock_data_; diff --git a/net/socket/ssl_client_socket_mac_factory.cc b/net/socket/ssl_client_socket_mac_factory.cc index 7f0c5ce..d10e10d 100644 --- a/net/socket/ssl_client_socket_mac_factory.cc +++ b/net/socket/ssl_client_socket_mac_factory.cc @@ -13,7 +13,8 @@ SSLClientSocket* SSLClientSocketMacFactory( ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info) { + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver) { delete ssl_host_info; return new SSLClientSocketMac(transport_socket, hostname, ssl_config); } diff --git a/net/socket/ssl_client_socket_mac_factory.h b/net/socket/ssl_client_socket_mac_factory.h index ca97b00..6f12883 100644 --- a/net/socket/ssl_client_socket_mac_factory.h +++ b/net/socket/ssl_client_socket_mac_factory.h @@ -10,6 +10,7 @@ namespace net { +class DnsRRResolver; class SSLHostInfo; // Creates SSLClientSocketMac objects. @@ -17,7 +18,8 @@ SSLClientSocket* SSLClientSocketMacFactory( ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info); + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver); } // namespace net diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index a26e77d4..0434f6d 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -93,6 +93,7 @@ #include "net/base/sys_addrinfo.h" #include "net/ocsp/nss_ocsp.h" #include "net/socket/client_socket_handle.h" +#include "net/socket/dns_cert_provenance_check.h" #include "net/socket/ssl_host_info.h" static const int kRecvBufferSize = 4096; @@ -397,6 +398,17 @@ class PeerCertificateChain { return certs_[i]; } + std::vector<base::StringPiece> AsStringPieceVector() const { + std::vector<base::StringPiece> v(size()); + for (unsigned i = 0; i < size(); i++) { + v[i] = base::StringPiece( + reinterpret_cast<const char*>(certs_[i]->derCert.data), + certs_[i]->derCert.len); + } + + return v; + } + private: unsigned num_certs_; CERTCertificate** certs_; @@ -407,7 +419,8 @@ class PeerCertificateChain { SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info) + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver) : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_( this, &SSLClientSocketNSS::BufferSendComplete)), ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_( @@ -443,7 +456,8 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, net_log_(transport_socket->socket()->NetLog()), predicted_npn_status_(kNextProtoUnsupported), predicted_npn_proto_used_(false), - ssl_host_info_(ssl_host_info) { + ssl_host_info_(ssl_host_info), + dnsrr_resolver_(dnsrr_resolver) { EnterFunction(""); } @@ -1086,14 +1100,8 @@ X509Certificate *SSLClientSocketNSS::UpdateServerCert() { server_cert_nss_ = SSL_PeerCertificate(nss_fd_); if (server_cert_nss_) { PeerCertificateChain certs(nss_fd_); - std::vector<base::StringPiece> der_certs(certs.size()); - - for (unsigned i = 0; i < certs.size(); i++) { - der_certs[i] = base::StringPiece( - reinterpret_cast<const char*>(certs[i]->derCert.data), - certs[i]->derCert.len); - } - server_cert_ = X509Certificate::CreateFromDERCertChain(der_certs); + server_cert_ = X509Certificate::CreateFromDERCertChain( + certs.AsStringPieceVector()); } } return server_cert_; @@ -2305,6 +2313,14 @@ static DNSValidationResult CheckDNSSECChain( } int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { +#if !defined(USE_OPENSSL) + if (ssl_config_.dns_cert_provenance_checking_enabled && dnsrr_resolver_) { + PeerCertificateChain certs(nss_fd_); + DoAsyncDNSCertProvenanceVerification( + hostname_, dnsrr_resolver_, certs.AsStringPieceVector()); + } +#endif + if (ssl_config_.dnssec_enabled) { DNSValidationResult r = CheckDNSSECChain(hostname_, server_cert_nss_); if (r == DNSVR_SUCCESS) { diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index 821abe4..2720c1d 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -30,6 +30,7 @@ namespace net { class BoundNetLog; class CertVerifier; class ClientSocketHandle; +class DnsRRResolver; class SSLHostInfo; class X509Certificate; @@ -43,7 +44,8 @@ class SSLClientSocketNSS : public SSLClientSocket { SSLClientSocketNSS(ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info); + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver); ~SSLClientSocketNSS(); // SSLClientSocket methods: @@ -247,6 +249,7 @@ class SSLClientSocketNSS : public SSLClientSocket { bool predicted_npn_proto_used_; scoped_ptr<SSLHostInfo> ssl_host_info_; + DnsRRResolver* const dnsrr_resolver_; }; } // namespace net diff --git a/net/socket/ssl_client_socket_nss_factory.cc b/net/socket/ssl_client_socket_nss_factory.cc index a4c87fa..f4e8215 100644 --- a/net/socket/ssl_client_socket_nss_factory.cc +++ b/net/socket/ssl_client_socket_nss_factory.cc @@ -18,10 +18,11 @@ SSLClientSocket* SSLClientSocketNSSFactory( ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info) { + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver) { scoped_ptr<SSLHostInfo> shi(ssl_host_info); return new SSLClientSocketNSS(transport_socket, hostname, ssl_config, - shi.release()); + shi.release(), dnsrr_resolver); } } // namespace net diff --git a/net/socket/ssl_client_socket_nss_factory.h b/net/socket/ssl_client_socket_nss_factory.h index d454bb9..29f9af4 100644 --- a/net/socket/ssl_client_socket_nss_factory.h +++ b/net/socket/ssl_client_socket_nss_factory.h @@ -10,6 +10,7 @@ namespace net { +class DnsRRResolver; class SSLHostInfo; // Creates SSLClientSocketNSS objects. @@ -17,7 +18,8 @@ SSLClientSocket* SSLClientSocketNSSFactory( ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info); + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver); } // namespace net diff --git a/net/socket/ssl_client_socket_pool.cc b/net/socket/ssl_client_socket_pool.cc index bd4a09b..a7eea3a 100644 --- a/net/socket/ssl_client_socket_pool.cc +++ b/net/socket/ssl_client_socket_pool.cc @@ -285,7 +285,8 @@ int SSLConnectJob::DoSSLConnect() { ssl_socket_.reset(client_socket_factory_->CreateSSLClientSocket( transport_socket_handle_.release(), params_->hostname(), - params_->ssl_config(), ssl_host_info_.release())); + params_->ssl_config(), ssl_host_info_.release(), + dnsrr_resolver_)); return ssl_socket_->Connect(&callback_); } diff --git a/net/socket/tcp_client_socket_pool_unittest.cc b/net/socket/tcp_client_socket_pool_unittest.cc index 1a4ca02..e53e264 100644 --- a/net/socket/tcp_client_socket_pool_unittest.cc +++ b/net/socket/tcp_client_socket_pool_unittest.cc @@ -250,7 +250,8 @@ class MockClientSocketFactory : public ClientSocketFactory { ClientSocketHandle* transport_socket, const std::string& hostname, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info) { + SSLHostInfo* ssl_host_info, + DnsRRResolver* dnsrr_resolver) { NOTIMPLEMENTED(); delete ssl_host_info; return NULL; |