Ignore certificate transparency by default.

Ignore certificate transparency by default.

Current behavior is to remove the EV flag if the ct enforcer is not
set by the embedder. This somewhat unexpectedly removes EV for all
servers, if the embedder has not taken explicit actions to turn
on CT.

CT should either be ignored when policy enforcer is not present,
or there should be asserts warning about the missing EV-white
list. This patch chooses the first option as CT is not yet a
security requirement, and I don't think it's correct to demand
CT support quite yet.

Note that this change has no effect on Chrome's default behavior.

BUG=NONE

Committed: https://crrev.com/2553ff05b802a94ef281e647874d37941eefd154
Cr-Commit-Position: refs/heads/master@{#336539}

[haavardm, 2015-06-26 13:23:46]

haavardm@opera.com changed reviewers:
+ rsleevi@chromium.org

[haavardm, 2015-06-26 13:24:06]

haavardm@opera.com changed reviewers:
+ eroman@chromium.org

[haavardm, 2015-06-26 13:32:20]

haavardm@opera.com changed reviewers:
+ eranm@chromium.org
- eroman@chromium.org

[haavardm, 2015-06-26 13:33:20]

Ryan: here's the patch I mentioned, please review.
Eran: FYI

The reason we weren't hit by this until now is that we actually did set the CT
policy enforcer (without the setting whitelist). That was done by our
integrators without quite realizing what they did. However, until recently there
was a boolean flag that turned CT off by default. When this boolean was removed
EV got turned off for all certs without SCT. We will turn of CT eventually but
we're not there quite yet.

[Ryan Sleevi, 2015-06-26 14:16:17]

LGTM.

https://codereview.chromium.org/1211423002/diff/20001/net/socket/ssl_client_s...
File net/socket/ssl_client_socket_nss.cc (right):

https://codereview.chromium.org/1211423002/diff/20001/net/socket/ssl_client_s...
net/socket/ssl_client_socket_nss.cc:3131: if
(server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {
Can consolidate to one conditional

https://codereview.chromium.org/1211423002/diff/20001/net/socket/ssl_client_s...
File net/socket/ssl_client_socket_openssl.cc (right):

https://codereview.chromium.org/1211423002/diff/20001/net/socket/ssl_client_s...
net/socket/ssl_client_socket_openssl.cc:1226: if
(server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {
Ditto consolidation

[haavardm, 2015-06-29 08:15:37]

The CQ bit was checked by haavardm@opera.com

[haavardm, 2015-06-29 08:15:38]

The patchset sent to the CQ was uploaded after l-g-t-m from rsleevi@chromium.org
Link to the patchset: https://codereview.chromium.org/1211423002/#ps30001
(title: "Consolidate conditionals")

[commit-bot: I haz the power, 2015-06-29 08:15:42]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1211423002/30001

[haavardm, 2015-06-29 09:13:12]

The CQ bit was unchecked by haavardm@opera.com

[haavardm, 2015-06-29 09:24:31]

The CQ bit was checked by haavardm@opera.com

[commit-bot: I haz the power, 2015-06-29 09:24:44]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1211423002/30001

[commit-bot: I haz the power, 2015-06-29 09:27:54]

Committed patchset #3 (id:30001)

[commit-bot: I haz the power, 2015-06-29 09:28:53]

Patchset 3 (id:??) landed as
https://crrev.com/2553ff05b802a94ef281e647874d37941eefd154
Cr-Commit-Position: refs/heads/master@{#336539}