| Index: net/socket/ssl_client_socket_nss.cc
|
| ===================================================================
|
| --- net/socket/ssl_client_socket_nss.cc (revision 65819)
|
| +++ net/socket/ssl_client_socket_nss.cc (working copy)
|
| @@ -396,7 +396,7 @@
|
| } // namespace
|
|
|
| SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket,
|
| - const std::string& hostname,
|
| + const HostPortPair& host_and_port,
|
| const SSLConfig& ssl_config,
|
| SSLHostInfo* ssl_host_info,
|
| DnsRRResolver* dnsrr_resolver)
|
| @@ -410,7 +410,7 @@
|
| ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_(
|
| this, &SSLClientSocketNSS::OnHandshakeIOComplete)),
|
| transport_(transport_socket),
|
| - hostname_(hostname),
|
| + host_and_port_(host_and_port),
|
| ssl_config_(ssl_config),
|
| user_connect_callback_(NULL),
|
| user_read_callback_(NULL),
|
| @@ -479,7 +479,8 @@
|
| }
|
| net_log_.AddEvent(NetLog::TYPE_SSL_SNAP_START,
|
| new NetLogIntegerParameter("type", snap_start_type));
|
| - LOG(ERROR) << "Snap Start: " << snap_start_type << " " << hostname_;
|
| + LOG(ERROR) << "Snap Start: " << snap_start_type << " "
|
| + << host_and_port_.host();
|
| if (snap_start_type == SSL_SNAP_START_FULL ||
|
| snap_start_type == SSL_SNAP_START_RESUME) {
|
| // If we did a successful Snap Start then our information was correct and
|
| @@ -518,7 +519,7 @@
|
| certs[i]->derCert.len));
|
| }
|
|
|
| - LOG(ERROR) << "Setting Snap Start info " << hostname_;
|
| + LOG(ERROR) << "Setting Snap Start info " << host_and_port_.host();
|
| ssl_host_info_->Persist();
|
| }
|
|
|
| @@ -741,7 +742,8 @@
|
| rv = SSL_OptionSet(
|
| nss_fd_, SSL_ENABLE_FALSE_START,
|
| ssl_config_.false_start_enabled &&
|
| - !SSLConfigService::IsKnownFalseStartIncompatibleServer(hostname_));
|
| + !SSLConfigService::IsKnownFalseStartIncompatibleServer(
|
| + host_and_port_.host()));
|
| if (rv != SECSuccess)
|
| LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");
|
| #endif
|
| @@ -758,7 +760,7 @@
|
| #ifdef SSL_ENABLE_RENEGOTIATION
|
| // Deliberately disable this check for now: http://crbug.com/55410
|
| if (false &&
|
| - SSLConfigService::IsKnownStrictTLSServer(hostname_) &&
|
| + SSLConfigService::IsKnownStrictTLSServer(host_and_port_.host()) &&
|
| !ssl_config_.mitm_proxies_allowed) {
|
| rv = SSL_OptionSet(nss_fd_, SSL_REQUIRE_SAFE_NEGOTIATION, PR_TRUE);
|
| if (rv != SECSuccess) {
|
| @@ -823,7 +825,7 @@
|
| }
|
|
|
| // Tell SSL the hostname we're trying to connect to.
|
| - SSL_SetURL(nss_fd_, hostname_.c_str());
|
| + SSL_SetURL(nss_fd_, host_and_port_.host().c_str());
|
|
|
| // Tell SSL we're a client; needed if not letting NSPR do socket I/O
|
| SSL_ResetHandshake(nss_fd_, 0);
|
| @@ -858,10 +860,7 @@
|
| // Set the peer ID for session reuse. This is necessary when we create an
|
| // SSL tunnel through a proxy -- GetPeerName returns the proxy's address
|
| // rather than the destination server's address in that case.
|
| - // TODO(wtc): port in |peer_address| is not the server's port when a proxy is
|
| - // used.
|
| - std::string peer_id = base::StringPrintf("%s:%d", hostname_.c_str(),
|
| - peer_address.GetPort());
|
| + std::string peer_id = host_and_port_.ToString();
|
| SECStatus rv = SSL_SetSockPeerID(nss_fd_, const_cast<char*>(peer_id.c_str()));
|
| if (rv != SECSuccess)
|
| LogFailedNSSFunction(net_log_, "SSL_SetSockPeerID", peer_id.c_str());
|
| @@ -1140,7 +1139,7 @@
|
| ssl_connection_status_ |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
|
| // Log an informational message if the server does not support secure
|
| // renegotiation (RFC 5746).
|
| - VLOG(1) << "The server " << hostname_
|
| + VLOG(1) << "The server " << host_and_port_.host()
|
| << " does not support the TLS renegotiation_info extension.";
|
| }
|
| UMA_HISTOGRAM_ENUMERATION("Net.RenegotiationExtensionSupported",
|
| @@ -1184,7 +1183,7 @@
|
| void SSLClientSocketNSS::GetSSLCertRequestInfo(
|
| SSLCertRequestInfo* cert_request_info) {
|
| EnterFunction("");
|
| - cert_request_info->host_and_port = hostname_; // TODO(wtc): no port!
|
| + cert_request_info->host_and_port = host_and_port_.ToString();
|
| cert_request_info->client_certs = client_certs_;
|
| LeaveFunction(cert_request_info->client_certs.size());
|
| }
|
| @@ -2158,7 +2157,8 @@
|
| // prepared for switching the protocol like that so we make up an error
|
| // and rely on the fact that the request will be retried.
|
| if (IsNPNProtocolMispredicted()) {
|
| - LOG(WARNING) << "Mispredicted NPN protocol for " << hostname_;
|
| + LOG(WARNING) << "Mispredicted NPN protocol for "
|
| + << host_and_port_.host();
|
| net_error = ERR_SSL_SNAP_START_NPN_MISPREDICTION;
|
| } else {
|
| // Let's verify the certificate.
|
| @@ -2347,16 +2347,9 @@
|
| }
|
|
|
| int SSLClientSocketNSS::DoVerifyDNSSEC(int result) {
|
| -#if !defined(USE_OPENSSL)
|
| - if (ssl_config_.dns_cert_provenance_checking_enabled && dnsrr_resolver_) {
|
| - PeerCertificateChain certs(nss_fd_);
|
| - DoAsyncDNSCertProvenanceVerification(
|
| - hostname_, dnsrr_resolver_, certs.AsStringPieceVector());
|
| - }
|
| -#endif
|
| -
|
| if (ssl_config_.dnssec_enabled) {
|
| - DNSValidationResult r = CheckDNSSECChain(hostname_, server_cert_nss_);
|
| + DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(),
|
| + server_cert_nss_);
|
| if (r == DNSVR_SUCCESS) {
|
| local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC;
|
| server_cert_verify_result_ = &local_server_cert_verify_result_;
|
| @@ -2452,7 +2445,7 @@
|
| flags |= X509Certificate::VERIFY_EV_CERT;
|
| verifier_.reset(new CertVerifier);
|
| server_cert_verify_result_ = &local_server_cert_verify_result_;
|
| - return verifier_->Verify(server_cert_, hostname_, flags,
|
| + return verifier_->Verify(server_cert_, host_and_port_.host(), flags,
|
| &local_server_cert_verify_result_,
|
| &handshake_io_callback_);
|
| }
|
|
|
Chromium Code Reviews
Issue 4339001:
Correctly handle SSL Client Authentication requests when connecting... (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/