From 289097611b67e397ca2242667a1745d3c1fd20e8 Mon Sep 17 00:00:00 2001 From: "wtc@chromium.org" Date: Wed, 2 May 2012 03:25:44 +0000 Subject: Only call SSL_OptionSet in an initial handshake. This works around the locking problem with SSL_OptionSet in a renegotiation. The previous fix r134584 is reverted. R=agl@chromium.org,rsleevi@chromium.org BUG=125299 TEST=Run a Chrome debug build on Windows. Visit a site that does SSL renegotiation. There should be no assertion failure. For example, visit http://foaf.me, click the "Login to your account" link at the upperright corner of the page. Then press the "sign in" button. Review URL: http://codereview.chromium.org/10290002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@134866 0039d316-1c4b-4281-b951-d872f2087c98 --- net/socket/ssl_client_socket_nss.cc | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'net/socket') diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 7c3440f..54152e9 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -2056,6 +2056,25 @@ SECStatus SSLClientSocketNSS::OwnAuthCertHandler(void* arg, PRFileDesc* socket, PRBool checksig, PRBool is_server) { +#ifdef SSL_ENABLE_FALSE_START + SSLClientSocketNSS* that = reinterpret_cast(arg); + if (!that->server_cert_nss_) { + // Only need to turn off False Start in the initial handshake. Also, it is + // unsafe to call SSL_OptionSet in a renegotiation because the "first + // handshake" lock isn't already held, which will result in an assertion + // failure in the ssl_Get1stHandshakeLock call in SSL_OptionSet. + PRBool npn; + SECStatus rv = SSL_HandshakeNegotiatedExtension(socket, + ssl_next_proto_nego_xtn, + &npn); + if (rv != SECSuccess || !npn) { + // If the server doesn't support NPN, then we don't do False Start with + // it. + SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE); + } + } +#endif + // Tell NSS to not verify the certificate. return SECSuccess; } -- cgit v1.1