We don't handle certificate errors during SSL renegotiation....

net/base/ssl_client_socket_win.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/ssl_client_socket_win.h"
 
 #include <schnlsp.h>
 
 #include "base/lock.h"
 #include "base/singleton.h"
@@ skipping 42 matching lines @@
     case SEC_E_INVALID_HANDLE:
       return ERR_UNEXPECTED;
     case SEC_E_OK:
       return OK;
     default:
       LOG(WARNING) << "Unknown error " << err << " mapped to net::ERR_FAILED";
       return ERR_FAILED;
   }
 }
 
+// Returns true if the two CERT_CONTEXTs contain the same certificate.
+bool SameCert(PCCERT_CONTEXT a, PCCERT_CONTEXT b) {
+  return a->cbCertEncoded == b->cbCertEncoded &&
+         memcmp(a->pbCertEncoded, b->pbCertEncoded, b->cbCertEncoded) == 0;
+}
+
 //-----------------------------------------------------------------------------
 
 // A bitmask consisting of these bit flags encodes which versions of the SSL
 // protocol (SSL 2.0, SSL 3.0, and TLS 1.0) are enabled.
 enum {
   SSL2 = 1 << 0,
   SSL3 = 1 << 1,
   TLS1 = 1 << 2,
   SSL_VERSION_MASKS = 1 << 3  // The number of SSL version bitmasks.
 };
@@ skipping 647 matching lines @@
   // Eventually, we should cache the cert verification results so that we don't
   // need to call verifier_.Verify repeatedly. But for now we need to do this.
   // Alternatively, we might be able to store the cert's status along with
   // the cert in the allowed_bad_certs_ set.
   if (IsCertificateError(result) &&
       ssl_config_.allowed_bad_certs_.count(server_cert_))
     result = OK;
 
   LogConnectionTypeMetrics();
   if (renegotiating_) {
-    // A rehandshake, started in the middle of a Read, has completed.
-    renegotiating_ = false;
-    // Pick up where we left off.  Go back to reading data.
-    if (result == OK)
-      SetNextStateForRead();
+    DidCompleteRenegotiation(result);
   } else {
     // The initial handshake, kicked off by a Connect, has completed.
     completed_handshake_ = true;
     // Exit DoLoop and return the result to the caller of Connect.
     DCHECK(next_state_ == STATE_NONE);
   }
   return result;
 }
 
 int SSLClientSocketWin::DoPayloadRead() {
@@ skipping 246 matching lines @@
     return MapSecurityError(status);
   }
   DCHECK(!server_cert_ || renegotiating_);
   PCCERT_CONTEXT server_cert_handle = NULL;
   status = QueryContextAttributes(
       &ctxt_, SECPKG_ATTR_REMOTE_CERT_CONTEXT, &server_cert_handle);
   if (status != SEC_E_OK) {
     DLOG(ERROR) << "QueryContextAttributes failed: " << status;
     return MapSecurityError(status);
   }
-  server_cert_ = X509Certificate::CreateFromHandle(
-      server_cert_handle, X509Certificate::SOURCE_FROM_NETWORK);
+  if (renegotiating_ &&
+      SameCert(server_cert_->os_cert_handle(), server_cert_handle)) {
+    // We already verified the server certificate.  Either it is good or the
+    // user has accepted the certificate error.
+    CertFreeCertificateContext(server_cert_handle);
+    DidCompleteRenegotiation(OK);
+  } else {
+    server_cert_ = X509Certificate::CreateFromHandle(
+        server_cert_handle, X509Certificate::SOURCE_FROM_NETWORK);
 
-  next_state_ = STATE_VERIFY_CERT;
+    next_state_ = STATE_VERIFY_CERT;
+  }
   return OK;
 }
 
+// Called when a renegotiation is completed.  |result| is the verification
+// result of the server certificate received during renegotiation.
+void SSLClientSocketWin::DidCompleteRenegotiation(int result) {
+  // A rehandshake, started in the middle of a Read, has completed.
+  renegotiating_ = false;
+  // Pick up where we left off.  Go back to reading data.
+  if (result == OK)
+    SetNextStateForRead();
+}
+
 void SSLClientSocketWin::LogConnectionTypeMetrics() const {
   UpdateConnectionTypeHistograms(CONNECTION_SSL);
   if (server_cert_verify_result_.has_md5)
     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5);
   if (server_cert_verify_result_.has_md2)
     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2);
   if (server_cert_verify_result_.has_md4)
     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD4);
   if (server_cert_verify_result_.has_md5_ca)
     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5_CA);
@@ skipping 10 matching lines @@
   }
 }
 
 void SSLClientSocketWin::FreeSendBuffer() {
   SECURITY_STATUS status = FreeContextBuffer(send_buffer_.pvBuffer);
   DCHECK(status == SEC_E_OK);
   memset(&send_buffer_, 0, sizeof(send_buffer_));
 }
 
 }  // namespace net