Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2216)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/socket/ssl_client_socket_mac.cc

Issue 1514004: Mac SSL fix: Go back to not enabling break-on-auth when we have a client cert to send. (Closed)
Patch Set: Set cert up-front as well as on demand. Created 10 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/ssl_client_socket_mac.cc
diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc
index ad3c747c47790609e6cbbc82c8fc4f3874d09ef6..bde0edb2523e4d613a27ed4b48419e76be233caa 100644
--- a/net/socket/ssl_client_socket_mac.cc
+++ b/net/socket/ssl_client_socket_mac.cc
@@ -774,15 +774,29 @@ int SSLClientSocketMac::InitializeSSLContext() {
if (status)
return NetErrorFromOSStatus(status);
- // If break-on-auth is not available, we do not enable session
- // resumption, because in that case we are verifying the server's certificate
- // after the handshake completes (but before any application data is
- // exchanged). If we were to enable session resumption in this situation,
- // the session would be cached before we verified the certificate, leaving
- // the potential for a session in which the certificate failed to validate
- // to still be able to be resumed.
+ if (ssl_config_.send_client_cert) {
+ // Provide the client cert up-front if we have one, even though we'll get
+ // notified later when the server requests it, and set it again; this is
+ // seemingly redundant but works around a problem with SecureTransport
+ // and provides correct behavior on both 10.5 and 10.6:
+ // http://lists.apple.com/archives/apple-cdsa/2010/Feb/msg00058.html
+ // http://code.google.com/p/chromium/issues/detail?id=38905
+ SSL_LOG << "Setting client cert in advance because send_client_cert is set";
+ status = SetClientCert();
wtc 2010/03/30 19:17:52 The other two SetClientCert() calls are now redund
+ if (status)
+ return NetErrorFromOSStatus(status);
+ }
+
status = EnableBreakOnAuth(true);
if (status == noErr) {
+ // Only enable session resumption if break-on-auth is available,
wtc 2010/03/30 19:17:52 You changed the sense of this sentence (from "is n
+ // because with break-on-auth we are verifying the server's certificate
+ // after the handshake completes (but before any application data is
+ // exchanged). If we were to enable session resumption in this situation,
+ // the session would be cached before we verified the certificate, leaving
+ // the potential for a session in which the certificate failed to validate
+ // to still be able to be resumed.
+
// Concatenate the hostname and peer address to use as the peer ID. To
// resume a session, we must connect to the same server on the same port
// using the same hostname (i.e., localhost and 127.0.0.1 are considered
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698