summaryrefslogtreecommitdiffstats
path: root/net/socket/ssl_client_socket_nss.cc
Commit message (Collapse)AuthorAgeFilesLines
* Enable TLS channeld id by default.mattm@chromium.org2012-09-151-2/+8
| | | | | | | | | | | | | | Replace --enable-origin-bound-certs command line flag with --disable-tls-channel-id. Remove field trial. BUG=136462,129174 Review URL: https://chromiumcodereview.appspot.com/10910240 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@156939 0039d316-1c4b-4281-b951-d872f2087c98
* Increase the sizes of the circular buffers used by SSLClientSocketNSSwtc@chromium.org2012-09-111-3/+7
| | | | | | | | | | | | | | | and SSLServerSocketNSS. Larger buffers result in fewer Read() and Write() calls, improving performance. R=rsleevi@chromium.org,agl@chromium.org BUG=69813 TEST=none Review URL: https://chromiumcodereview.appspot.com/10919167 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@155889 0039d316-1c4b-4281-b951-d872f2087c98
* Implement SHA-256 fingerprint supportpalmer@chromium.org2012-09-071-3/+2
| | | | | | | | | | | | | | | | The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Review URL: https://chromiumcodereview.appspot.com/10826257 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@155365 0039d316-1c4b-4281-b951-d872f2087c98
* Check if the system time is within the range NSS can handle before ↵mattm@chromium.org2012-09-051-7/+17
| | | | | | | | | | | | advertising TLS channel id support. BUG=142388 TEST=set year to 1601, run with --enable-origin-bound-certs, try connecting to google https sites. Review URL: https://chromiumcodereview.appspot.com/10896046 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@155046 0039d316-1c4b-4281-b951-d872f2087c98
* Rename X509Certificate::VerifyFlags to CertVerifier::VerifyFlagsrsleevi@chromium.org2012-08-231-3/+3
| | | | | | | | | | | | Now that verification happens in CertVerifier::Verify(), the flags should be moved from X509Certificate into CertVerifier BUG=none Review URL: https://chromiumcodereview.appspot.com/10855168 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@152918 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 150375 - Implement SHA-256 fingerprint supportpalmer@chromium.org2012-08-081-10/+6
| | | | | | | | | | | | | | | | | | The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Review URL: https://chromiumcodereview.appspot.com/10825211 TBR=palmer@chromium.org Review URL: https://chromiumcodereview.appspot.com/10836150 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@150507 0039d316-1c4b-4281-b951-d872f2087c98
* Implement SHA-256 fingerprint supportpalmer@chromium.org2012-08-071-6/+10
| | | | | | | | | | | | | | | The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Review URL: https://chromiumcodereview.appspot.com/10825211 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@150375 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 150124 - Implement SHA-256 fingerprint support.dimich@chromium.org2012-08-061-10/+6
| | | | | | | | | | | | | | | | | | | | | The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. This CL reverts 149268, which reverted 149261 the previous version of this CL. It includes a fix to the compile problem that necessitated 149268. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Review URL: https://chromiumcodereview.appspot.com/10836062 TBR=palmer@chromium.org Review URL: https://chromiumcodereview.appspot.com/10836120 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@150166 0039d316-1c4b-4281-b951-d872f2087c98
* Implement SHA-256 fingerprint support.palmer@chromium.org2012-08-061-6/+10
| | | | | | | | | | | | | | | | | | The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. This CL reverts 149268, which reverted 149261 the previous version of this CL. It includes a fix to the compile problem that necessitated 149268. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Review URL: https://chromiumcodereview.appspot.com/10836062 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@150124 0039d316-1c4b-4281-b951-d872f2087c98
* net: disable SSL compressionagl@chromium.org2012-08-021-11/+0
| | | | | | | | | | | | This change also updates the page-info dialog to assume that compression isn't used. It doesn't, however, remove the message from the .grd file in order to make this change easier to merge. BUG=139744 Review URL: https://chromiumcodereview.appspot.com/10823111 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@149672 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 149261 - Support SHA-256 in public key pins for HTTPS.vandebo@chromium.org2012-07-311-10/+6
| | | | | | | | | | | | | | | | | | | | | | | | | Broke the compile on CrOS. Looks like const-ness problem: net/socket/ssl_client_socket_nss.cc: In member function 'int net::SSLClientSocketNSS::DoVerifyCertComplete(int)': net/socket/ssl_client_socket_nss.cc:3458:error: no matching function for call to 'net::TransportSecurityState::DomainState::IsChainOfPublicKeysPermitted(std::vector<std::vector<net::HashValue, std::allocator<net::HashValue> >, std::allocator<std::vector<net::HashValue, std::allocator<net::HashValue> > > >&)' ./net/base/transport_security_state.h:94: note: candidates are: bool net::TransportSecurityState::DomainState::IsChainOfPublicKeysPermitted(const net::HashValueVector&) const The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Review URL: https://chromiumcodereview.appspot.com/10545166 TBR=palmer@chromium.org Review URL: https://chromiumcodereview.appspot.com/10827104 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@149268 0039d316-1c4b-4281-b951-d872f2087c98
* Support SHA-256 in public key pins for HTTPS.palmer@chromium.org2012-07-311-6/+10
| | | | | | | | | | | | | | | | The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Review URL: https://chromiumcodereview.appspot.com/10545166 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@149261 0039d316-1c4b-4281-b951-d872f2087c98
* Add a new GetTlsUniqueChannelBinding method to SSLSocket, and implement nss ↵rch@chromium.org2012-07-311-0/+16
| | | | | | | | | | version. BUG=139700 Review URL: https://chromiumcodereview.appspot.com/10823084 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@149231 0039d316-1c4b-4281-b951-d872f2087c98
* Change SpdySession::GetSSLInfo to get the SSLInfo from the underlying socketrch@chromium.org2012-07-191-2/+3
| | | | | | | | | | | | | | | | even if the session is not "secure". This required refactoring StreamSocket to add WasNpnNegotiated() and GetSSLInfo() methods. This allows for a change to SpdySession::GetSSLInfo to accurately return the correct SSLInfo in the case of SPDY Proxy sessions. BUG=134690 TEST=\*DoNotUseSpdySessionIfCertDoesNotMatch\* Review URL: https://chromiumcodereview.appspot.com/10690122 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@147479 0039d316-1c4b-4281-b951-d872f2087c98
* Switch the NSS thread from being a base::Thread to a ↵rsleevi@chromium.org2012-07-101-4/+4
| | | | | | | | | | | | base::SequencedWorkerPool of 1 BUG=135435 TEST=existing + tsan bots Review URL: https://chromiumcodereview.appspot.com/10749009 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@145977 0039d316-1c4b-4281-b951-d872f2087c98
* NSS Channel ID: don't check ECC support on every socket creation.mattm@chromium.org2012-07-091-8/+3
| | | | | | | | | | | Add static function to ECPrivateKey to get which NSS slot it uses. BUG=127506 Review URL: https://chromiumcodereview.appspot.com/10700099 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@145777 0039d316-1c4b-4281-b951-d872f2087c98
* Remove SSLHostInfo.agl@chromium.org2012-06-271-148/+23
| | | | | | | BUG=105208 TEST=none git-svn-id: svn://svn.chromium.org/chrome/trunk/src@144468 0039d316-1c4b-4281-b951-d872f2087c98
* Convert SSLClientSocketNSS to use the NSS Channel ID callback.mattm@chromium.org2012-06-261-149/+141
| | | | | | | | | | BUG=129174,127506 TEST=run a TLS Channel ID supporting server, try connecting to it. TBR=joi@chromium.org Review URL: https://chromiumcodereview.appspot.com/10560020 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@144093 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 141941 temporarily - Allow ERR_CONNECTION_RESET during the SSLwtc@chromium.org2012-06-201-17/+0
| | | | | | | | | | | | | | | | | handshake to trigger a TLS 1.1 -> TLS 1.0 fallback. This will allow us to detect more network devices that reset TCP connections during TLS 1.1 handshakes. Original review URL: https://chromiumcodereview.appspot.com/10493003 R=agl@chromium.org BUG=130293 TEST=none Review URL: https://chromiumcodereview.appspot.com/10573033 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@143215 0039d316-1c4b-4281-b951-d872f2087c98
* NetLogEventParameter to Callback refactoring 9.mmenke@chromium.org2012-06-141-111/+53
| | | | | | | | | | | Get rid of all uses of NetLogEventParameters in net/socket. R=eroman@chromium.org BUG=126243 Review URL: https://chromiumcodereview.appspot.com/10546162 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@142224 0039d316-1c4b-4281-b951-d872f2087c98
* Allow ERR_CONNECTION_RESET during the SSL handshake to trigger awtc@chromium.org2012-06-131-0/+17
| | | | | | | | | | | | TLS 1.1 -> TLS 1.0 fallback. R=agl@chromium.org,rsleevi@chromium.org BUG=130293,126340 TEST=none Review URL: https://chromiumcodereview.appspot.com/10493003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@141941 0039d316-1c4b-4281-b951-d872f2087c98
* Fix NetLog thread safety issue introduced inmmenke@chromium.org2012-06-131-1/+3
| | | | | | | | | | | | | http://codereview.chromium.org/10539094/. We weren't holding on to a reference for an x509Certificate passed to another thread for logging. BUG=126243 Review URL: https://chromiumcodereview.appspot.com/10534117 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@141812 0039d316-1c4b-4281-b951-d872f2087c98
* NetLogEventParameter to Callback refactoring 1,mmenke@chromium.org2012-06-121-4/+19
| | | | | | | | | | | | Get rid of all uses of NetLogEventParameters in net/base, with the exception of net_log itself, of course. R=eroman@chromium.org BUG=126243 Review URL: https://chromiumcodereview.appspot.com/10539094 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@141666 0039d316-1c4b-4281-b951-d872f2087c98
* Make NetLog take in callbacks that return Values rathermmenke@chromium.org2012-06-101-22/+33
| | | | | | | | | | | | than refcounted objects. Avoids the need to create classes and copy data. Also no longer get time whenever an event is logged. BUG=126243 Review URL: https://chromiumcodereview.appspot.com/10399083 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@141377 0039d316-1c4b-4281-b951-d872f2087c98
* Add DCHECK in SSL sockets to check that callbacks are not set to null.sergeyu@chromium.org2012-06-081-0/+3
| | | | | | | | | | The new DCHECKs would make it easier to debug the linked bug. BUG=129658 Review URL: https://chromiumcodereview.appspot.com/10545074 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@141135 0039d316-1c4b-4281-b951-d872f2087c98
* fixed issue 128383 - replace GetPeerAddress(AddressList* address) with ↵zhaoqin@chromium.org2012-06-081-3/+3
| | | | | | | | | | | | | GetPeerAddress(IPEndPoint* address) R=szym@chromium.org BUG=128383 TEST=try bot Review URL: https://chromiumcodereview.appspot.com/10491007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@141125 0039d316-1c4b-4281-b951-d872f2087c98
* Map the certificate related SSL alerts to ERR_BAD_SSL_CLIENT_AUTH_CERTwtc@chromium.org2012-06-071-3/+34
| | | | | | | | | | | | | | | on the client side. Move MapNSSHandshakeError to ssl_client_socket_nss.cc (and rename it MapNSSClientHandshakeError) because it is specific to the client side. R=rsleevi@chromium.org BUG=129209 TEST=none Review URL: https://chromiumcodereview.appspot.com/10332300 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@140897 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 140846 - (relanding r140697)rsleevi@chromium.org2012-06-061-1479/+2476
| | | | | | | | | | | | | | | | | | | | | | | | | | | Move the core state machine of SSLClientSocketNSS into a thread-safe Core NSS SSL functions may block on the underlying PKCS#11 modules or on user input. On ChromeOS, which has a hardware TPM, calls may take upwards of several seconds, preventing any IPC due to the I/O thread being blocked. To avoid blocking the I/O thread on ChromeOS, move the core SSL implementation to a dedicated worker thread, so that only SSL sockets are blocked. BUG=122355 TEST=existing net_unittests + see bug. Review URL: https://chromiumcodereview.appspot.com/10454066 TBR=rsleevi@chromium.org Review URL: https://chromiumcodereview.appspot.com/10546033 TBR=rsleevi@chromium.org Review URL: https://chromiumcodereview.appspot.com/10543036 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@140856 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 140697 - Maybe caused sizes regression (which would be acceptablersleevi@chromium.org2012-06-061-2476/+1479
| | | | | | | | | | | | | | | | | | | | | | | | | | and this will be relanded), but revert to be sure it wasn't something else. Move the core state machine of SSLClientSocketNSS into a thread-safe Core NSS SSL functions may block on the underlying PKCS#11 modules or on user input. On ChromeOS, which has a hardware TPM, calls may take upwards of several seconds, preventing any IPC due to the I/O thread being blocked. To avoid blocking the I/O thread on ChromeOS, move the core SSL implementation to a dedicated worker thread, so that only SSL sockets are blocked. BUG=122355 TEST=existing net_unittests + see bug. Review URL: https://chromiumcodereview.appspot.com/10454066 TBR=rsleevi@chromium.org Review URL: https://chromiumcodereview.appspot.com/10546033 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@140846 0039d316-1c4b-4281-b951-d872f2087c98
* Move the core state machine of SSLClientSocketNSS into a thread-safe Corersleevi@chromium.org2012-06-061-1479/+2476
| | | | | | | | | | | | | | | | | | | NSS SSL functions may block on the underlying PKCS#11 modules or on user input. On ChromeOS, which has a hardware TPM, calls may take upwards of several seconds, preventing any IPC due to the I/O thread being blocked. To avoid blocking the I/O thread on ChromeOS, move the core SSL implementation to a dedicated worker thread, so that only SSL sockets are blocked. BUG=122355 TEST=existing net_unittests + see bug. Review URL: https://chromiumcodereview.appspot.com/10454066 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@140697 0039d316-1c4b-4281-b951-d872f2087c98
* Use TLS 1.1.wtc@chromium.org2012-05-261-13/+13
| | | | | | | | | | | | | | | | | | | | | | | | | Enable SSL 3.0 ~ TLS 1.1 by default. If the SSLClientSocket class does not support TLS 1.1, enable SSL 3.0 ~ TLS 1.0 by default. TLS intolerant servers are handled by falling back to the next lower protocol version at a time, rather than falling back to SSL 3.0 directly. In the SSLConfig structure, replace the ssl3_enabled and tls1_enabled members by version_min and version_max to allow multiple, contiguous protocol versions to be enabled, and rename the ssl3_fallback member to version_fallback. The preferences prefs::kSSL3Enabled and prefs::kTLS1Enabled are not yet removed. Generalize prefs::kTLS1Enabled to mean enabling or disabling all TLS versions. R=agl@chromium.org,rsleevi@chromium.org BUG=126340 TEST=net_unittests --gtest_filter=HTTPSRequestTest.TLSv1Fallback Review URL: https://chromiumcodereview.appspot.com/10377022 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@139204 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 138795 - Revert "nss: revert encrypted and origin bound certificates ↵agl@chromium.org2012-05-241-6/+3
| | | | | | | | | | | support." Cleaning up git-svn mess with drover. TBR=agl@chromium.org Review URL: https://chromiumcodereview.appspot.com/10451012 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@138796 0039d316-1c4b-4281-b951-d872f2087c98
* Revert "nss: revert encrypted and origin bound certificates support."agl@chromium.org2012-05-241-3/+6
| | | | | | Screwed up git branches in that change. git-svn-id: svn://svn.chromium.org/chrome/trunk/src@138795 0039d316-1c4b-4281-b951-d872f2087c98
* nss: revert encrypted and origin bound certificates support.agl@chromium.org2012-05-241-6/+3
| | | | | | | | | | | | This change is the result of running patch -R to revert the two patches. A minor change is needed to ssl_client_socket_nss.cc in order for the result to compile. BUG=129174 TEST=none git-svn-id: svn://svn.chromium.org/chrome/trunk/src@138793 0039d316-1c4b-4281-b951-d872f2087c98
* Removed unreached code related to ESET MITM detection.rsleevi@chromium.org2012-05-191-58/+52
| | | | | | | | | | | | | This is unnecessary as of r131649 BUG=none TEST=net_unittests R=agl Review URL: https://chromiumcodereview.appspot.com/10392166 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@137986 0039d316-1c4b-4281-b951-d872f2087c98
* Prevent the infinite loop inside SSLClientSocketNSS::OnSendComplete.wtc@chromium.org2012-05-161-4/+12
| | | | | | | | | | | | | | | | | Two fixes are added. 1) We stay in the loop only if we will call DoPayloadRead or DoPayloadWrite in the next iteration. 2) Don't call BufferRecv again if BufferRecv has reported EOF before. Each fix alone prevents the infinite loop. The second fix is less risky. If necessary, we can go with just the second fix. R=rsleevi@chromium.org BUG=127822 TEST=SSLServerSocketTest.WriteAfterPeerClose in net_unittests Review URL: https://chromiumcodereview.appspot.com/10382186 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@137485 0039d316-1c4b-4281-b951-d872f2087c98
* Replace DBC.Advertised with DomainBoundCerts.Support histogram.mattm@chromium.org2012-05-091-4/+24
| | | | | | | | | BUG=124105 TEST=check about:histograms Review URL: https://chromiumcodereview.appspot.com/10350005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@135983 0039d316-1c4b-4281-b951-d872f2087c98
* If generating a domain bound cert fails, continue the connection without it.mattm@chromium.org2012-05-081-3/+9
| | | | | | | | | BUG=125768 TEST=hack ServerBoundCertService::GenerateCert to always fail Review URL: https://chromiumcodereview.appspot.com/10315008 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@135783 0039d316-1c4b-4281-b951-d872f2087c98
* Reimplements net::AddressList without struct addrinfo.szym@chromium.org2012-05-071-6/+7
| | | | | | | | | | | | | | | | net::AddressList extends std::vector<std::IPEndPoint> by canonical name. (Canonical name is planned to be removed as well.) Removes dependency on sys_addrinfo.h throughout the codebase. Introduces net::SockaddrStorage for convenience. BUG=125696 TEST=green waterfall Review URL: http://codereview.chromium.org/10309002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@135731 0039d316-1c4b-4281-b951-d872f2087c98
* Remove log debug spam when using NSS for SSL.rsleevi@chromium.org2012-05-041-3/+0
| | | | | | | | | | | | This is already handled by the net-log BUG=126180 TEST=manual testing. Less log spam. Review URL: http://codereview.chromium.org/10372004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@135273 0039d316-1c4b-4281-b951-d872f2087c98
* Only call SSL_OptionSet in an initial handshake.wtc@chromium.org2012-05-021-0/+19
| | | | | | | | | | | | | | | | | | | This works around the locking problem with SSL_OptionSet in a renegotiation. The previous fix r134584 is reverted. R=agl@chromium.org,rsleevi@chromium.org BUG=125299 TEST=Run a Chrome debug build on Windows. Visit a site that does SSL renegotiation. There should be no assertion failure. For example, visit http://foaf.me, click the "Login to your account" link at the upperright corner of the page. Then press the "sign in" button. Review URL: http://codereview.chromium.org/10290002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@134866 0039d316-1c4b-4281-b951-d872f2087c98
* Fix the official build.palmer@chromium.org2012-05-011-2/+3
| | | | | | | | | | Had a renamed method that is only called in official builds. BUG=113280, 120373 TBR=rsleevi@chromium.org Review URL: https://chromiumcodereview.appspot.com/10272036 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@134758 0039d316-1c4b-4281-b951-d872f2087c98
* Refactor TransportSecurityState.palmer@chromium.org2012-05-011-50/+0
| | | | | | | | | | | Do some minor "gcl lint" cleanup while here. BUG=113280, 120373 TEST=net_unittests, browser_tests, unit_tests TransportSecurityPersisterTest.* Review URL: http://codereview.chromium.org/9415040 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@134754 0039d316-1c4b-4281-b951-d872f2087c98
* net: don't set NSS options in a callback.agl@chromium.org2012-04-301-10/+0
| | | | | | | | | | | This debugger traps in debug mode due to the locks held at the time that the callback is made. BUG=125299 TEST=none Review URL: http://codereview.chromium.org/10221018 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@134584 0039d316-1c4b-4281-b951-d872f2087c98
* Add histograms for domain bound certs.mattm@chromium.org2012-04-271-0/+4
| | | | | | | | | | BUG=124105 TEST=run with or without --enable-origin-bound-certs, check about:histograms Review URL: http://codereview.chromium.org/10174027 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@134229 0039d316-1c4b-4281-b951-d872f2087c98
* net: only False Start with forward secret servers.agl@chromium.org2012-04-201-0/+10
| | | | | | | | | | | | | | | | | | | | | | Bodo made the point that we originally sacrificed an aspect of forward secrecy in order to use False Start widely. Specifically, an attacker can alter the handshake and cause a non-forward secure ciphersuite to be selected and the client's initial write will not be forward secret. Since we are no longer trying to use False Start everywhere, we can close that gap by only allowing it for forward secret connections. This change also addresses follow up comments on https://chromiumcodereview.appspot.com/10014010/ and adds the patch file that was missing in that change. BUG=none TEST=net_unittests Review URL: http://codereview.chromium.org/10136001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@133255 0039d316-1c4b-4281-b951-d872f2087c98
* net: False Start only for NPN capable servers.agl@google.com2012-04-101-72/+4
| | | | | | | | | | | | | | | | This change causes NSS only to False Start with NPN capable servers. It also removes the False Start blacklist and this has the effect of enabling 1/n-1 record splitting for those hosts that were previously on the blacklist. However, those hosts have been getting 1/n-1 from Opera, Firefox and IE for a few months now. BUG=none TEST=net_unittests Review URL: http://codereview.chromium.org/10014010 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@131649 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 122908 - Limited user feedback following the addition of this means ↵rsleevi@chromium.org2012-03-291-2/+0
| | | | | | | | | | | | | | | | | | | | | | we're spamming the LOG needlessly. net: log the number of certificates from NSS. (Temporary change that should be reverted once the bug in question has been tracked down.) BUG=114709 TEST=none Review URL: http://codereview.chromium.org/9429010 TBR=agl@chromium.org NOTRY=true Review URL: http://codereview.chromium.org/9892007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@129541 0039d316-1c4b-4281-b951-d872f2087c98
* Make CertVerifier a pure virtual interface.rsleevi@chromium.org2012-03-211-0/+1
| | | | | | | | | | | | | The existing CertVerifier implementation has been renamed to MultiThreadedCertVerifier, consistent with ProxyResolver naming. This is patch 1 of N for http://crbug.com/114343 BUG=114343 TEST=Compiles and existing unittests pass. Review URL: https://chromiumcodereview.appspot.com/9476035 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@128090 0039d316-1c4b-4281-b951-d872f2087c98
* Change Origin bound certs -> Domain bound certs.mattm@chromium.org2012-03-201-50/+52
| | | | | | | | | | BUG=115348 TEST=unit tests, manually checked 'Origin Bound Certs' contents after browsing TBR=jam@chromium.org,willchan@chromium.org Review URL: https://chromiumcodereview.appspot.com/9617039 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@127817 0039d316-1c4b-4281-b951-d872f2087c98
generated by cgit v1.1 at 2025-01-27 12:23:33 +0000