Chromium Code Reviews Chromium Code Reviews
Issue 6120002:
Disable False Start and clear the SSL client auth cache for HTTPS proxies on failure (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/http_network_transaction.h" | 5 #include "net/http/http_network_transaction.h" |
| 6 | 6 |
| 7 #include <math.h> // ceil | 7 #include <math.h> // ceil |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
| (...skipping 8353 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 8364 &client_cert)); | 8364 &client_cert)); |
| 8365 ASSERT_EQ(NULL, client_cert.get()); | 8365 ASSERT_EQ(NULL, client_cert.get()); |
| 8366 rv = callback.WaitForResult(); | 8366 rv = callback.WaitForResult(); |
| 8367 | 8367 |
| 8368 // Now that the new handshake has failed, ensure that the client | 8368 // Now that the new handshake has failed, ensure that the client |
| 8369 // certificate was removed from the client auth cache. | 8369 // certificate was removed from the client auth cache. |
| 8370 ASSERT_EQ(net::ERR_SSL_PROTOCOL_ERROR, rv); | 8370 ASSERT_EQ(net::ERR_SSL_PROTOCOL_ERROR, rv); |
| 8371 ASSERT_FALSE(session->ssl_client_auth_cache()->Lookup("www.example.com:443", | 8371 ASSERT_FALSE(session->ssl_client_auth_cache()->Lookup("www.example.com:443", |
| 8372 &client_cert)); | 8372 &client_cert)); |
| 8373 } | 8373 } |
| 8374 | 8374 |
|
agl
2011/01/07 15:28:28
extra blank line.
| |
| 8375 | |
| 8376 // Ensure that a client certificate is removed from the SSL client auth | |
| 8377 // cache when: | |
| 8378 // 1) An HTTPS proxy is involved. | |
| 8379 // 3) SSL is being used through the HTTPS proxy. | |
| 8380 // 3) The HTTPS proxy requests a client certificate. | |
| 8381 // 4) The client supplies an invalid/unacceptable certificate for the | |
| 8382 // proxy. | |
| 8383 TEST_F(HttpNetworkTransactionTest, Proxy_ClientAuthCertCache) { | |
| 8384 SessionDependencies session_deps( | |
| 8385 ProxyService::CreateFixed("https://proxy:70")); | |
| 8386 CapturingBoundNetLog log(CapturingNetLog::kUnbounded); | |
| 8387 session_deps.net_log = log.bound().net_log(); | |
| 8388 | |
| 8389 // See Direct_ClientAuthCertCache_NoFalseStart for the explanation of | |
| 8390 // [ssl_]data[1-3]. Rather than represending the endpoint | |
| 8391 // (www.example.com:443), they represent failures with the HTTPS proxy | |
| 8392 // (proxy:70). | |
| 8393 SSLSocketDataProvider ssl_data1(true /* async */, | |
| 8394 net::ERR_SSL_CLIENT_AUTH_CERT_NEEDED); | |
| 8395 SSLSocketDataProvider ssl_data2(true /* async */, | |
| 8396 net::ERR_SSL_PROTOCOL_ERROR); | |
| 8397 SSLSocketDataProvider ssl_data3(true /* async */, | |
| 8398 net::ERR_SSL_PROTOCOL_ERROR); | |
| 8399 scoped_refptr<SSLCertRequestInfo> cert_request(new SSLCertRequestInfo()); | |
| 8400 cert_request->host_and_port = "proxy:70"; | |
| 8401 ssl_data1.cert_request_info = cert_request.get(); | |
| 8402 ssl_data2.cert_request_info = cert_request.get(); | |
| 8403 ssl_data3.cert_request_info = cert_request.get(); | |
| 8404 | |
| 8405 // Not particularly interested in the individual reads/writes, as the | |
| 8406 // SSL client auth cache is what is under inspection. | |
| 8407 net::StaticSocketDataProvider data1(NULL, 0, NULL, 0); | |
| 8408 net::StaticSocketDataProvider data2(NULL, 0, NULL, 0); | |
| 8409 net::StaticSocketDataProvider data3(NULL, 0, NULL, 0); | |
| 8410 | |
| 8411 session_deps.socket_factory.AddSSLSocketDataProvider(&ssl_data1); | |
| 8412 session_deps.socket_factory.AddSSLSocketDataProvider(&ssl_data2); | |
| 8413 session_deps.socket_factory.AddSSLSocketDataProvider(&ssl_data3); | |
| 8414 session_deps.socket_factory.AddSocketDataProvider(&data1); | |
| 8415 session_deps.socket_factory.AddSocketDataProvider(&data2); | |
| 8416 session_deps.socket_factory.AddSocketDataProvider(&data3); | |
| 8417 | |
| 8418 scoped_refptr<HttpNetworkSession> session(CreateSession(&session_deps)); | |
| 8419 scoped_ptr<HttpNetworkTransaction> trans(new HttpNetworkTransaction(session)); | |
| 8420 | |
| 8421 net::HttpRequestInfo request_info; | |
| 8422 request_info.url = GURL("https://www.example.com/"); | |
| 8423 request_info.method = "GET"; | |
| 8424 request_info.load_flags = net::LOAD_NORMAL; | |
| 8425 | |
| 8426 TestCompletionCallback callback; | |
| 8427 int rv = trans->Start(&request_info, &callback, net::BoundNetLog()); | |
| 8428 ASSERT_EQ(net::ERR_IO_PENDING, rv); | |
| 8429 rv = callback.WaitForResult(); | |
| 8430 ASSERT_EQ(net::ERR_SSL_CLIENT_AUTH_CERT_NEEDED, rv); | |
| 8431 | |
| 8432 // Supply a dummy certificate. The SSLClientAuthCertCache tests ensure | |
| 8433 // this test should behave the same as if this test used a real cert. | |
| 8434 rv = trans->RestartWithCertificate(NULL, &callback); | |
| 8435 ASSERT_EQ(net::ERR_IO_PENDING, rv); | |
| 8436 | |
| 8437 // Ensure the certificate was added to the client auth cache before | |
| 8438 // allowing the connection to continue restarting. | |
| 8439 scoped_refptr<X509Certificate> client_cert; | |
| 8440 ASSERT_TRUE(session->ssl_client_auth_cache()->Lookup("proxy:70", | |
| 8441 &client_cert)); | |
| 8442 ASSERT_EQ(NULL, client_cert.get()); | |
| 8443 rv = callback.WaitForResult(); | |
| 8444 | |
| 8445 // Now that the new handshake has failed, ensure that the client | |
| 8446 // certificate was removed from the client auth cache. | |
| 8447 ASSERT_EQ(net::ERR_PROXY_CONNECTION_FAILED, rv); | |
| 8448 ASSERT_FALSE(session->ssl_client_auth_cache()->Lookup("proxy:70", | |
| 8449 &client_cert)); | |
| 8450 } | |
| 8451 | |
| 8375 } // namespace net | 8452 } // namespace net |
| OLD | NEW |
