Index: net/ssl/ssl_server_config.h |
diff --git a/net/ssl/ssl_server_config.h b/net/ssl/ssl_server_config.h |
index 6e712fb88c2719e12f0cb5eef8a9b9f0cc1058a2..dd5e1abc2b7453be64e9e42eacac7aa540887833 100644 |
--- a/net/ssl/ssl_server_config.h |
+++ b/net/ssl/ssl_server_config.h |
@@ -14,6 +14,8 @@ |
namespace net { |
+class ClientCertVerifier; |
+ |
// A collection of server-side SSL-related configuration settings. |
struct NET_EXPORT SSLServerConfig { |
// Defaults |
@@ -56,6 +58,29 @@ struct NET_EXPORT SSLServerConfig { |
// Requires a client certificate for client authentication from the client. |
// This doesn't currently enforce certificate validity. |
bool require_client_cert; |
+ |
+ // Provides the list of certificates whose names are to be included in the |
+ // CertificateRequest handshake message. This member is only useful if |
+ // certificates are allowed. |
+ CertificateList client_cert_ca_list; |
+ |
+ // Indicates that a client certificate is required, and provides the |
+ // CertificateVerifier that is to be used to verify it during the handshake. |
+ // The |client_cert_verifier| continues to be owned by the caller, |
+ // and must exist at least until the handshake has completed. |
+ // This field is meaningful only if client certificates are required. |
+ // NOTES: |
+ // 1. If no CertificateVerifier is provided, then a client certificate may |
+ // still be allowed (if ssl_server_config.send_client_cert is true), |
+ // but in that case verification must be done after the handshake |
+ // has completed, by which time the session will have been cached, |
+ // and may be subject to resumption. |
+ // 2. OpenSSL expects the certificate verification callback to complete |
+ // synchronously. |
+ // 3. For verifying a client certificate, the CertVerifier::Verify method |
+ // will be called with input parameters as follows: |
+ // - cert: the cert to be verified |
+ ClientCertVerifier* client_cert_verifier; |
}; |
} // namespace net |