net: detect and error out with ESET/NetNanny HTTPS interception + False Start

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 403 matching lines @@
       user_connect_callback_(NULL),
       user_read_callback_(NULL),
       user_write_callback_(NULL),
       user_read_buf_len_(0),
       user_write_buf_len_(0),
       server_cert_nss_(NULL),
       client_auth_cert_needed_(false),
       handshake_callback_called_(false),
       completed_handshake_(false),
       pseudo_connected_(false),
+      eset_mitm_detected_(false),
+      netnanny_mitm_detected_(false),
       dnssec_provider_(NULL),
       next_handshake_state_(STATE_NONE),
       nss_fd_(NULL),
       nss_bufs_(NULL),
       net_log_(transport_socket->socket()->NetLog()),
       predicted_npn_status_(kNextProtoUnsupported),
       predicted_npn_proto_used_(false) {
   EnterFunction("");
 }
 
@@ skipping 554 matching lines @@
   user_write_buf_        = NULL;
   user_write_buf_len_    = 0;
   server_cert_           = NULL;
   if (server_cert_nss_) {
     CERT_DestroyCertificate(server_cert_nss_);
     server_cert_nss_     = NULL;
   }
   server_cert_verify_result_.Reset();
   completed_handshake_   = false;
   pseudo_connected_      = false;
+  eset_mitm_detected_    = false;
+  netnanny_mitm_detected_= false;
   nss_bufs_              = NULL;
   client_certs_.clear();
   client_auth_cert_needed_ = false;
 
   LeaveFunction("");
 }
 
 bool SSLClientSocketNSS::IsConnected() const {
   // Ideally, we should also check if we have received the close_notify alert
   // message from the server, and return false in that case.  We're not doing
@@ skipping 724 matching lines @@
   if (rv != SECSuccess)
     NOTREACHED();
   if (false_start) {
     SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
     if (!that->handshake_callback_called_) {
       that->corked_ = true;
       that->uncork_timer_.Start(
           base::TimeDelta::FromMilliseconds(kCorkTimeoutMs),
           that, &SSLClientSocketNSS::UncorkAfterTimeout);
     }
+
+    // ESET anti-virus is capable of intercepting HTTPS connections on Windows.
+    // However, it is False Start intolerant and causes the connections to hang
+    // forever. We detect ESET by the issuer of the leaf certificate and set a
+    // flag to return a specific error, giving the user instructions for
+    // reconfiguring ESET.
+    CERTCertificate* cert = SSL_PeerCertificate(that->nss_fd_);
+    if (cert) {
+      char* common_name = CERT_GetCommonName(&cert->issuer);
+      if (common_name) {
+        if (strcmp(common_name, "ESET_RootSslCert") == 0)
+          that->eset_mitm_detected_ = true;
+        if (strcmp(common_name, "ContentWatch Root Certificate Authority") == 0)
+          that->netnanny_mitm_detected_ = true;
+        PORT_Free(common_name);
+      }
+      CERT_DestroyCertificate(cert);
+    }
   }
 #endif
 
   // Tell NSS to not verify the certificate.
   return SECSuccess;
 }
 
 // static
 // NSS calls this if a client certificate is needed.
 // Based on Mozilla's NSS_GetClientAuthData.
@@ skipping 265 matching lines @@
     // If the handshake already succeeded (because the server requests but
     // doesn't require a client cert), we need to invalidate the SSL session
     // so that we won't try to resume the non-client-authenticated session in
     // the next handshake.  This will cause the server to ask for a client
     // cert again.
     if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) {
       LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError();
     }
   } else if (rv == SECSuccess) {
     if (handshake_callback_called_) {
-      SaveSnapStartInfo();
-      // SSL handshake is completed. It's possible that we mispredicted the NPN
-      // agreed protocol. In this case, we've just sent a request in the wrong
-      // protocol! The higher levels of this network stack aren't prepared for
-      // switching the protocol like that so we make up an error and rely on
-      // the fact that the request will be retried.
-      if (IsNPNProtocolMispredicted()) {
-        LOG(WARNING) << "Mispredicted NPN protocol for " << hostname_;
-        net_error = ERR_SSL_SNAP_START_NPN_MISPREDICTION;
+      if (eset_mitm_detected_) {
+        net_error = ERR_ESET_ANTI_VIRUS_SSL_INTERCEPTION;
+      } else if (netnanny_mitm_detected_) {
+        net_error = ERR_NETNANNY_SSL_INTERCEPTION;
       } else {
-        // Let's verify the certificate.
-        GotoState(STATE_VERIFY_DNSSEC);
+        SaveSnapStartInfo();
+        // SSL handshake is completed. It's possible that we mispredicted the NPN
+        // agreed protocol. In this case, we've just sent a request in the wrong
+        // protocol! The higher levels of this network stack aren't prepared for
+        // switching the protocol like that so we make up an error and rely on
+        // the fact that the request will be retried.
+        if (IsNPNProtocolMispredicted()) {
+          LOG(WARNING) << "Mispredicted NPN protocol for " << hostname_;
+          net_error = ERR_SSL_SNAP_START_NPN_MISPREDICTION;
+        } else {
+          // Let's verify the certificate.
+          GotoState(STATE_VERIFY_DNSSEC);
+        }
       }
       // Done!
     } else {
       // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=562434 -
       // SSL_ForceHandshake returned SECSuccess prematurely.
       rv = SECFailure;
       net_error = ERR_SSL_PROTOCOL_ERROR;
       net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR,
                         new SSLErrorParams(net_error, 0));
     }
@@ skipping 367 matching lines @@
     return ERR_IO_PENDING;
   }
   LeaveFunction("");
   rv = MapNSPRError(prerr);
   net_log_.AddEvent(NetLog::TYPE_SSL_WRITE_ERROR,
                     new SSLErrorParams(rv, prerr));
   return rv;
 }
 
 }  // namespace net