From 52f3fad3ed3ad8ccca2026dc253474bb531737d7 Mon Sep 17 00:00:00 2001
From: "wtc@chromium.org"
 <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Mon, 21 Sep 2009 19:27:36 +0000
Subject: Don't use NSS databases for non-essential purposes, such as
 remembering the intermediate CA certificates we see, because NSS's
 connections to the SQLite databases go bad if the file system where the
 databases reside is gone, even just transiently.

Add the hostname to the error log message for CERT_PKIXVerifyCert failure.

R=eroman,ukai
BUG=15630
TEST=existing unit tests should pass.
Review URL: http://codereview.chromium.org/214028

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26714 0039d316-1c4b-4281-b951-d872f2087c98
---
 net/socket/ssl_client_socket_nss.cc | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

(limited to 'net/socket')

diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 1f35728..05549da 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -755,6 +755,16 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
 
   if (result == OK) {
     // Remember the intermediate CA certs if the server sends them to us.
+    //
+    // We used to remember the intermediate CA certs in the NSS database
+    // persistently.  However, NSS opens a connection to the SQLite database
+    // during NSS initialization and doesn't close the connection until NSS
+    // shuts down.  If the file system where the database resides is gone,
+    // the database connection goes bad.  What's worse, the connection won't
+    // recover when the file system comes back.  Until this NSS or SQLite bug
+    // is fixed, we need to  avoid using the NSS database for non-essential
+    // purposes.  See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and
+    // http://crbug.com/15630 for more info.
     CERTCertList* cert_list = CERT_GetCertChainFromCert(
         server_cert_->os_cert_handle(), PR_Now(), certUsageSSLCA);
     if (cert_list) {
@@ -772,15 +782,8 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
         }
 
         // We have found a CA cert that we want to remember.
-        std::string nickname(GetDefaultCertNickname(node->cert));
-        if (!nickname.empty()) {
-          PK11SlotInfo* slot = PK11_GetInternalKeySlot();
-          if (slot) {
-            PK11_ImportCert(slot, node->cert, CK_INVALID_HANDLE,
-                            const_cast<char*>(nickname.c_str()), PR_FALSE);
-            PK11_FreeSlot(slot);
-          }
-        }
+        // TODO(wtc): Remember the intermediate CA certs in a std::set
+        // temporarily (http://crbug.com/15630).
       }
       CERT_DestroyCertList(cert_list);
     }
-- 
cgit v1.1