Support for client certs in ssl_server_socket.

net/ssl/ssl_server_config.h

Index: net/ssl/ssl_server_config.h
diff --git a/net/ssl/ssl_server_config.h b/net/ssl/ssl_server_config.h
index 6e712fb88c2719e12f0cb5eef8a9b9f0cc1058a2..dd5e1abc2b7453be64e9e42eacac7aa540887833 100644
--- a/net/ssl/ssl_server_config.h
+++ b/net/ssl/ssl_server_config.h
@@ -14,6 +14,8 @@
 
 namespace net {
 
+class ClientCertVerifier;
+
 // A collection of server-side SSL-related configuration settings.
 struct NET_EXPORT SSLServerConfig {
   // Defaults
@@ -56,6 +58,29 @@ struct NET_EXPORT SSLServerConfig {
   // Requires a client certificate for client authentication from the client.
   // This doesn't currently enforce certificate validity.
   bool require_client_cert;
+
+  // Provides the list of certificates whose names are to be included in the
+  // CertificateRequest handshake message. This member is only useful if
+  // certificates are allowed.
+  CertificateList client_cert_ca_list;
+
+  // Indicates that a client certificate is required, and provides the
+  // CertificateVerifier that is to be used to verify it during the handshake.
+  // The |client_cert_verifier| continues to be owned by the caller,
+  // and must exist at least until the handshake has completed.
+  // This field is meaningful only if client certificates are required.
+  // NOTES:
+  // 1. If no CertificateVerifier is provided, then a client certificate may
+  // still be allowed (if ssl_server_config.send_client_cert is true),
+  // but in that case verification must be done after the handshake
+  // has completed, by which time the session will have been cached,
+  // and may be subject to resumption.
+  // 2. OpenSSL expects the certificate verification callback to complete
+  // synchronously.
+  // 3. For verifying a client certificate, the CertVerifier::Verify method
+  // will be called with input parameters as follows:
+  //    - cert: the cert to be verified
+  ClientCertVerifier* client_cert_verifier;
 };
 
 }  // namespace net