Support for server session cache.

net/socket/ssl_server_socket_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This test suite uses SSLClientSocket to test the implementation of
 // SSLServerSocket. In order to establish connections between the sockets
 // we need two additional classes:
 // 1. FakeSocket
 //    Connects SSL socket to FakeDataChannel. This class is just a stub.
 //
@@ skipping 55 matching lines @@
 namespace net {
 
 namespace {
 
 const char kClientCertFileName[] = "client_1.pem";
 const char kClientPrivateKeyFileName[] = "client_1.pk8";
 const char kWrongClientCertFileName[] = "client_2.pem";
 const char kWrongClientPrivateKeyFileName[] = "client_2.pk8";
 const char kClientCertCAFileName[] = "client_1_ca.pem";
 
-class FakeDataChannel {
+class FakeDataChannel : public base::RefCountedThreadSafe<FakeDataChannel> {

[davidben, 2016/01/22 23:57:48]

Reference-counted mutable classes are usually an indication or confused
ownership. Why is this ref-counted?

[ryanchung, 2016/01/29 23:28:16]

Done. Changed it back.
These were used by both the server and client sockets while the unittest class
was the owner. I originally changed it to ref-count so the unittest class didn't
have to own it and so I can create as many of these sockets as I needed. 

Since I only needed 2 of each sockets, I'll just have the unittest make 4
FakeDataChannels.

  public:
   FakeDataChannel()
       : read_buf_len_(0),
         closed_(false),
         write_called_after_close_(false),
         weak_factory_(this) {
   }
 
   int Read(IOBuffer* buf, int buf_len, const CompletionCallback& callback) {
     DCHECK(read_callback_.is_null());
@@ skipping 40 matching lines @@
     data_.push(
         new DrainableIOBuffer(new StringIOBuffer(std::string("0", 1)), 1));
     if (!read_callback_.is_null()) {
       base::ThreadTaskRunnerHandle::Get()->PostTask(
           FROM_HERE, base::Bind(&FakeDataChannel::DoReadCallback,
                                 weak_factory_.GetWeakPtr()));
     }
   }
 
  private:
+  ~FakeDataChannel() {}
+  friend class base::RefCountedThreadSafe<FakeDataChannel>;
+
   void DoReadCallback() {
     if (read_callback_.is_null() || data_.empty())
       return;
     int copied = PropagateData(read_buf_, read_buf_len_);
     CompletionCallback callback = read_callback_;
     read_callback_.Reset();
     read_buf_ = NULL;
     read_buf_len_ = 0;
     callback.Run(copied);
   }
@@ skipping 34 matching lines @@
   // asynchronously.
   bool write_called_after_close_;
 
   base::WeakPtrFactory<FakeDataChannel> weak_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(FakeDataChannel);
 };
 
 class FakeSocket : public StreamSocket {
  public:
-  FakeSocket(FakeDataChannel* incoming_channel,
-             FakeDataChannel* outgoing_channel)
-      : incoming_(incoming_channel),
-        outgoing_(outgoing_channel) {
+  FakeSocket(const scoped_refptr<FakeDataChannel>& incoming_channel,
+             const scoped_refptr<FakeDataChannel>& outgoing_channel) {
+    incoming_ = incoming_channel;
+    outgoing_ = outgoing_channel;
   }
 
   ~FakeSocket() override {}
 
   int Read(IOBuffer* buf,
            int buf_len,
            const CompletionCallback& callback) override {
     // Read random number of bytes.
     buf_len = rand() % buf_len + 1;
     return incoming_->Read(buf, buf_len, callback);
@@ skipping 57 matching lines @@
 
   void AddConnectionAttempts(const ConnectionAttempts& attempts) override {}
 
   int64_t GetTotalReceivedBytes() const override {
     NOTIMPLEMENTED();
     return 0;
   }
 
  private:
   BoundNetLog net_log_;
-  FakeDataChannel* incoming_;
-  FakeDataChannel* outgoing_;
+  scoped_refptr<FakeDataChannel> incoming_;
+  scoped_refptr<FakeDataChannel> outgoing_;
 
   DISALLOW_COPY_AND_ASSIGN(FakeSocket);
 };
 
 class TestSSLPrivateKey : public SSLPrivateKey {
  public:
   TestSSLPrivateKey(crypto::RSAPrivateKey* rsa_private_key)
       : rsa_private_key_(rsa_private_key) {}
 
   Type GetType() override { return SSLPrivateKey::Type::RSA; }
@@ skipping 47 matching lines @@
   scoped_ptr<crypto::RSAPrivateKey> rsa_private_key_;
 
   DISALLOW_COPY_AND_ASSIGN(TestSSLPrivateKey);
 };
 
 }  // namespace
 
 // Verify the correctness of the test helper classes first.
 TEST(FakeSocketTest, DataTransfer) {
   // Establish channels between two sockets.
-  FakeDataChannel channel_1;
-  FakeDataChannel channel_2;
-  FakeSocket client(&channel_1, &channel_2);
-  FakeSocket server(&channel_2, &channel_1);
+  scoped_refptr<FakeDataChannel> channel_1(new FakeDataChannel());
+  scoped_refptr<FakeDataChannel> channel_2(new FakeDataChannel());
+  FakeSocket client(channel_1, channel_2);
+  FakeSocket server(channel_2, channel_1);
 
   const char kTestData[] = "testing123";
   const int kTestDataSize = strlen(kTestData);
   const int kReadBufSize = 1024;
   scoped_refptr<IOBuffer> write_buf = new StringIOBuffer(kTestData);
   scoped_refptr<IOBuffer> read_buf = new IOBuffer(kReadBufSize);
 
   // Write then read.
   int written =
       server.Write(write_buf.get(), kTestDataSize, CompletionCallback());
@@ skipping 19 matching lines @@
   EXPECT_LE(read, written);
   EXPECT_EQ(0, memcmp(kTestData, read_buf->data(), read));
 }
 
 class SSLServerSocketTest : public PlatformTest {
  public:
   SSLServerSocketTest()
       : socket_factory_(ClientSocketFactory::GetDefaultFactory()),
         cert_verifier_(new MockCertVerifier()),
         client_cert_verifier_(new MockClientCertVerifier()),
-        transport_security_state_(new TransportSecurityState) {
+        transport_security_state_(new TransportSecurityState),
+        initialized_(false) {
     cert_verifier_->set_default_result(ERR_CERT_AUTHORITY_INVALID);
     client_cert_verifier_->set_default_result(ERR_CERT_AUTHORITY_INVALID);
   }
 
  protected:
-  void Initialize() {
+  void Initialize(bool reinitialize_server_context = false) {

[davidben, 2016/01/22 23:57:48]

Style: no default arguments.

[ryanchung, 2016/01/29 23:28:16]

Done.

+    scoped_refptr<FakeDataChannel> channel_1_ = new FakeDataChannel();
+    scoped_refptr<FakeDataChannel> channel_2_ = new FakeDataChannel();
     scoped_ptr<ClientSocketHandle> client_connection(new ClientSocketHandle);
     client_connection->SetSocket(
-        scoped_ptr<StreamSocket>(new FakeSocket(&channel_1_, &channel_2_)));
+        scoped_ptr<StreamSocket>(new FakeSocket(channel_1_, channel_2_)));
     scoped_ptr<StreamSocket> server_socket(
-        new FakeSocket(&channel_2_, &channel_1_));
+        new FakeSocket(channel_2_, channel_1_));
 
     std::string server_cert_der;
-    scoped_refptr<X509Certificate> server_cert(
-        ReadTestCert("unittest.selfsigned.der", &server_cert_der));
-    scoped_ptr<crypto::RSAPrivateKey> server_private_key(
-        ReadTestKey("unittest.key.bin"));
+    if (!initialized_ || reinitialize_server_context) {
+      scoped_refptr<X509Certificate> server_cert(
+          ReadTestCert("unittest.selfsigned.der", &server_cert_der));
+      scoped_ptr<crypto::RSAPrivateKey> server_private_key(
+          ReadTestKey("unittest.key.bin"));
+      server_context_ = CreateSSLServerSocketContext(
+          server_cert.get(), *server_private_key, server_ssl_config_);
+    }
 
-    client_ssl_config_.false_start_enabled = false;
-    client_ssl_config_.channel_id_enabled = false;
+    if (!initialized_) {
+      client_ssl_config_.false_start_enabled = false;
+      client_ssl_config_.channel_id_enabled = false;
 
-    // Certificate provided by the host doesn't need authority.
-    SSLConfig::CertAndStatus cert_and_status;
-    cert_and_status.cert_status = CERT_STATUS_AUTHORITY_INVALID;
-    cert_and_status.der_cert = server_cert_der;
-    client_ssl_config_.allowed_bad_certs.push_back(cert_and_status);
+      // Certificate provided by the host doesn't need authority.
+      SSLConfig::CertAndStatus cert_and_status;
+      cert_and_status.cert_status = CERT_STATUS_AUTHORITY_INVALID;
+      cert_and_status.der_cert = server_cert_der;
+      client_ssl_config_.allowed_bad_certs.push_back(cert_and_status);
+
+      socket_factory_->ClearSSLSessionCache();
+    }
 
     HostPortPair host_and_pair("unittest", 0);
     SSLClientSocketContext context;
     context.cert_verifier = cert_verifier_.get();
     context.transport_security_state = transport_security_state_.get();
-    socket_factory_->ClearSSLSessionCache();
     client_socket_ = socket_factory_->CreateSSLClientSocket(
         std::move(client_connection), host_and_pair, client_ssl_config_,
         context);
+
     server_socket_ =
-        CreateSSLServerSocket(std::move(server_socket), server_cert.get(),
-                              *server_private_key, server_ssl_config_);
+        server_context_->CreateSSLServerSocket(std::move(server_socket));
+    initialized_ = true;
   }
 
   void ConfigureClientCertsForClient(const char* cert_file_name,
                                      const char* private_key_file_name) {
     scoped_refptr<X509Certificate> cert;
     scoped_refptr<net::SSLPrivateKey> key;
     if (cert_file_name && private_key_file_name) {
       cert = ImportCertFromFile(GetTestCertsDirectory(), cert_file_name);
       key = new TestSSLPrivateKey(ReadTestKey(private_key_file_name));
     }
@@ skipping 48 matching lines @@
     std::string key_string;
     if (!base::ReadFileToString(key_path, &key_string))
       return NULL;
     std::vector<uint8_t> key_vector(
         reinterpret_cast<const uint8_t*>(key_string.data()),
         reinterpret_cast<const uint8_t*>(key_string.data() +
                                          key_string.length()));
     return crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_vector);
   }
 
-  FakeDataChannel channel_1_;
-  FakeDataChannel channel_2_;
   SSLConfig client_ssl_config_;
   SSLServerConfig server_ssl_config_;
   scoped_ptr<SSLClientSocket> client_socket_;
   scoped_ptr<SSLServerSocket> server_socket_;
   ClientSocketFactory* socket_factory_;
   scoped_ptr<MockCertVerifier> cert_verifier_;
   scoped_ptr<MockClientCertVerifier> client_cert_verifier_;
   scoped_ptr<TransportSecurityState> transport_security_state_;
+  scoped_ptr<SSLServerSocketContext> server_context_;
   CertificateList trusted_certs_;
+  bool initialized_;
 };
 
 // This test only executes creation of client and server sockets. This is to
 // test that creation of sockets doesn't crash and have minimal code to run
 // under valgrind in order to help debugging memory problems.
 TEST_F(SSLServerSocketTest, Initialize) {
   Initialize();
 }
 
 // This test executes Connect() on SSLClientSocket and Handshake() on
@@ skipping 27 matching lines @@
       SSLConnectionStatusToCipherSuite(ssl_info.connection_status);
   const char* key_exchange;
   const char* cipher;
   const char* mac;
   bool is_aead;
   SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, cipher_suite);
   EXPECT_STREQ("ECDHE_RSA", key_exchange);
   EXPECT_TRUE(is_aead);
 }
 
+// This tests makes sure the session cache is working
+TEST_F(SSLServerSocketTest, HandshakeCached) {
+  Initialize();
+
+  TestCompletionCallback handshake_callback;
+  int server_ret = server_socket_->Handshake(handshake_callback.callback());
+  ASSERT_TRUE(server_ret == OK || server_ret == ERR_IO_PENDING);

[davidben, 2016/01/22 23:57:48]

I wouldn't bother with assertions like this one. The GetResult assertion will
cover everything.

[ryanchung, 2016/01/29 23:28:16]

Done.

+
+  TestCompletionCallback connect_callback;
+  int client_ret = client_socket_->Connect(connect_callback.callback());
+  ASSERT_TRUE(client_ret == OK || client_ret == ERR_IO_PENDING);
+
+  client_ret = connect_callback.GetResult(client_ret);
+  server_ret = handshake_callback.GetResult(server_ret);
+
+  ASSERT_EQ(OK, client_ret);
+  ASSERT_EQ(OK, server_ret);
+
+  // Make sure the cert status is expected.
+  SSLInfo ssl_info;
+  ASSERT_TRUE(client_socket_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info.cert_status);
+  EXPECT_EQ(ssl_info.handshake_type, SSLInfo::HANDSHAKE_FULL);
+
+  // Make sure the second connection is cached
+  Initialize();
+
+  TestCompletionCallback handshake_callback2;
+  int server_ret2 = server_socket_->Handshake(handshake_callback2.callback());
+  ASSERT_TRUE(server_ret2 == OK || server_ret2 == ERR_IO_PENDING);
+
+  TestCompletionCallback connect_callback2;
+  int client_ret2 = client_socket_->Connect(connect_callback2.callback());
+  ASSERT_TRUE(client_ret2 == OK || client_ret2 == ERR_IO_PENDING);
+
+  client_ret2 = connect_callback2.GetResult(client_ret2);
+  server_ret2 = handshake_callback2.GetResult(server_ret2);
+
+  ASSERT_EQ(OK, client_ret2);
+  ASSERT_EQ(OK, server_ret2);
+
+  // Make sure the cert status is expected.
+  SSLInfo ssl_info2;
+  ASSERT_TRUE(client_socket_->GetSSLInfo(&ssl_info2));
+  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info2.cert_status);
+  EXPECT_EQ(ssl_info2.handshake_type, SSLInfo::HANDSHAKE_RESUME);
+}
+
+// This tests makes sure the session cache separates out by server context
+TEST_F(SSLServerSocketTest, HandshakeCachedContextSwitch) {
+  Initialize();
+
+  TestCompletionCallback handshake_callback;
+  int server_ret = server_socket_->Handshake(handshake_callback.callback());
+  ASSERT_TRUE(server_ret == OK || server_ret == ERR_IO_PENDING);
+
+  TestCompletionCallback connect_callback;
+  int client_ret = client_socket_->Connect(connect_callback.callback());
+  ASSERT_TRUE(client_ret == OK || client_ret == ERR_IO_PENDING);
+
+  client_ret = connect_callback.GetResult(client_ret);
+  server_ret = handshake_callback.GetResult(server_ret);
+
+  ASSERT_EQ(OK, client_ret);
+  ASSERT_EQ(OK, server_ret);
+
+  // Make sure the cert status is expected.
+  SSLInfo ssl_info;
+  ASSERT_TRUE(client_socket_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info.cert_status);
+  EXPECT_EQ(ssl_info.handshake_type, SSLInfo::HANDSHAKE_FULL);
+
+  // Make sure the second connection is NOT cached when using a new context.
+  Initialize(true);
+
+  TestCompletionCallback handshake_callback2;
+  int server_ret2 = server_socket_->Handshake(handshake_callback2.callback());
+  ASSERT_TRUE(server_ret2 == OK || server_ret2 == ERR_IO_PENDING);
+
+  TestCompletionCallback connect_callback2;
+  int client_ret2 = client_socket_->Connect(connect_callback2.callback());
+  ASSERT_TRUE(client_ret2 == OK || client_ret2 == ERR_IO_PENDING);
+
+  client_ret2 = connect_callback2.GetResult(client_ret2);
+  server_ret2 = handshake_callback2.GetResult(server_ret2);
+
+  ASSERT_EQ(OK, client_ret2);
+  ASSERT_EQ(OK, server_ret2);
+
+  // Make sure the cert status is expected.
+  SSLInfo ssl_info2;
+  ASSERT_TRUE(client_socket_->GetSSLInfo(&ssl_info2));
+  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info2.cert_status);
+  EXPECT_EQ(ssl_info.handshake_type, SSLInfo::HANDSHAKE_FULL);
+}
+
 // NSS ports don't support client certificates
 #if defined(USE_OPENSSL)
 
 // This test executes Connect() on SSLClientSocket and Handshake() on
 // SSLServerSocket to make sure handshaking between the two sockets is
 // completed successfully, using client certificate.
 TEST_F(SSLServerSocketTest, HandshakeWithClientCert) {
   scoped_refptr<X509Certificate> client_cert =
       ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName);
   ConfigureClientCertsForClient(kClientCertFileName, kClientPrivateKeyFileName);
@@ skipping 16 matching lines @@
 
   // Make sure the cert status is expected.
   SSLInfo ssl_info;
   client_socket_->GetSSLInfo(&ssl_info);
   EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info.cert_status);
   server_socket_->GetSSLInfo(&ssl_info);
   EXPECT_TRUE(ssl_info.cert.get());
   EXPECT_TRUE(client_cert->Equals(ssl_info.cert.get()));
 }
 
+// This test executes Connect() on SSLClientSocket and Handshake() twice on
+// SSLServerSocket to make sure handshaking between the two sockets is
+// completed successfully, using client certificate. The second connection is
+// expected to succeed through the session cache.
+TEST_F(SSLServerSocketTest, HandshakeWithClientCertCached) {
+  scoped_refptr<X509Certificate> client_cert =
+      ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName);
+  ConfigureClientCertsForClient(kClientCertFileName, kClientPrivateKeyFileName);
+  ConfigureClientCertsForServer(true);
+  Initialize();
+
+  TestCompletionCallback handshake_callback;
+  int server_ret = server_socket_->Handshake(handshake_callback.callback());
+  ASSERT_TRUE(server_ret == OK || server_ret == ERR_IO_PENDING);
+
+  TestCompletionCallback connect_callback;
+  int client_ret = client_socket_->Connect(connect_callback.callback());
+  ASSERT_TRUE(client_ret == OK || client_ret == ERR_IO_PENDING);
+
+  client_ret = connect_callback.GetResult(client_ret);
+  server_ret = handshake_callback.GetResult(server_ret);
+
+  ASSERT_EQ(OK, client_ret);
+  ASSERT_EQ(OK, server_ret);
+
+  // Make sure the cert status is expected.
+  SSLInfo ssl_info;
+  client_socket_->GetSSLInfo(&ssl_info);
+  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info.cert_status);
+  server_socket_->GetSSLInfo(&ssl_info);
+  EXPECT_TRUE(ssl_info.cert.get());
+  EXPECT_TRUE(client_cert->Equals(ssl_info.cert.get()));
+  EXPECT_EQ(ssl_info.handshake_type, SSLInfo::HANDSHAKE_FULL);
+  server_socket_->Disconnect();
+  client_socket_->Disconnect();
+
+  // Create the connection again
+  Initialize();
+
+  TestCompletionCallback handshake_callback2;
+  int server_ret2 = server_socket_->Handshake(handshake_callback2.callback());
+  ASSERT_TRUE(server_ret2 == OK || server_ret2 == ERR_IO_PENDING);
+
+  TestCompletionCallback connect_callback2;
+  int client_ret2 = client_socket_->Connect(connect_callback2.callback());
+  ASSERT_TRUE(client_ret2 == OK || client_ret2 == ERR_IO_PENDING);
+
+  client_ret2 = connect_callback2.GetResult(client_ret2);
+  server_ret2 = handshake_callback2.GetResult(server_ret2);
+
+  ASSERT_EQ(OK, client_ret2);
+  ASSERT_EQ(OK, server_ret2);
+
+  // Make sure the cert status is expected.
+  SSLInfo ssl_info2;
+  client_socket_->GetSSLInfo(&ssl_info2);
+  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info2.cert_status);
+  server_socket_->GetSSLInfo(&ssl_info2);
+  EXPECT_TRUE(ssl_info2.cert.get());
+  EXPECT_TRUE(client_cert->Equals(ssl_info2.cert.get()));
+  EXPECT_EQ(ssl_info2.handshake_type, SSLInfo::HANDSHAKE_RESUME);
+}
+
 TEST_F(SSLServerSocketTest, HandshakeWithClientCertRequiredNotSupplied) {
   ConfigureClientCertsForServer(true);
   Initialize();
   // Use the default setting for the client socket, which is to not send
   // a client certificate. This will cause the client to receive an
   // ERR_SSL_CLIENT_AUTH_CERT_NEEDED error, and allow for inspecting the
   // requested cert_authorities from the CertificateRequest sent by the
   // server.
 
   TestCompletionCallback handshake_callback;
@@ skipping 12 matching lines @@
   // handshake message is as expected.
   scoped_refptr<X509Certificate> client_cert =
       ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName);
   EXPECT_TRUE(client_cert->IsIssuedByEncoded(request_info->cert_authorities));
 
   client_socket_->Disconnect();
 
   EXPECT_EQ(ERR_FAILED, handshake_callback.GetResult(server_ret));
 }
 
+TEST_F(SSLServerSocketTest, HandshakeWithClientCertRequiredNotSuppliedCached) {
+  ConfigureClientCertsForServer(true);
+  Initialize();
+  // Use the default setting for the client socket, which is to not send
+  // a client certificate. This will cause the client to receive an
+  // ERR_SSL_CLIENT_AUTH_CERT_NEEDED error, and allow for inspecting the
+  // requested cert_authorities from the CertificateRequest sent by the
+  // server.
+
+  TestCompletionCallback handshake_callback;
+  int server_ret = server_socket_->Handshake(handshake_callback.callback());
+  ASSERT_EQ(server_ret, ERR_IO_PENDING);
+
+  TestCompletionCallback connect_callback;
+  EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED,
+            connect_callback.GetResult(
+                client_socket_->Connect(connect_callback.callback())));
+
+  scoped_refptr<SSLCertRequestInfo> request_info = new SSLCertRequestInfo();
+  client_socket_->GetSSLCertRequestInfo(request_info.get());
+
+  // Check that the authority name that arrived in the CertificateRequest
+  // handshake message is as expected.
+  scoped_refptr<X509Certificate> client_cert =
+      ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName);
+  EXPECT_TRUE(client_cert->IsIssuedByEncoded(request_info->cert_authorities));
+
+  client_socket_->Disconnect();
+
+  EXPECT_EQ(ERR_FAILED, handshake_callback.GetResult(server_ret));
+  server_socket_->Disconnect();
+
+  // Below, check that the cache didn't store the result of a failed handshake
+  Initialize();
+
+  TestCompletionCallback handshake_callback2;
+  int server_ret2 = server_socket_->Handshake(handshake_callback2.callback());
+  ASSERT_EQ(server_ret2, ERR_IO_PENDING);
+
+  TestCompletionCallback connect_callback2;
+  EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED,
+            connect_callback2.GetResult(
+                client_socket_->Connect(connect_callback2.callback())));
+
+  scoped_refptr<SSLCertRequestInfo> request_info2 = new SSLCertRequestInfo();
+  client_socket_->GetSSLCertRequestInfo(request_info2.get());
+
+  // Check that the authority name that arrived in the CertificateRequest
+  // handshake message is as expected.
+  EXPECT_TRUE(client_cert->IsIssuedByEncoded(request_info2->cert_authorities));
+
+  client_socket_->Disconnect();
+
+  EXPECT_EQ(ERR_FAILED, handshake_callback2.GetResult(server_ret2));
+}
+
 TEST_F(SSLServerSocketTest, HandshakeWithWrongClientCertSupplied) {
   scoped_refptr<X509Certificate> client_cert =
       ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName);
   ConfigureClientCertsForClient(kWrongClientCertFileName,
                                 kWrongClientPrivateKeyFileName);
   ConfigureClientCertsForServer(true);
   Initialize();
 
   TestCompletionCallback handshake_callback;
   int server_ret = server_socket_->Handshake(handshake_callback.callback());
   EXPECT_EQ(server_ret, ERR_IO_PENDING);
 
   TestCompletionCallback connect_callback;
   int client_ret = client_socket_->Connect(connect_callback.callback());
 
   EXPECT_EQ(ERR_BAD_SSL_CLIENT_AUTH_CERT,
             connect_callback.GetResult(client_ret));
   EXPECT_EQ(ERR_BAD_SSL_CLIENT_AUTH_CERT,
             handshake_callback.GetResult(server_ret));
 }
+
+TEST_F(SSLServerSocketTest, HandshakeWithWrongClientCertSuppliedCached) {
+  scoped_refptr<X509Certificate> client_cert =
+      ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName);
+  ConfigureClientCertsForClient(kWrongClientCertFileName,
+                                kWrongClientPrivateKeyFileName);
+  ConfigureClientCertsForServer(true);
+  Initialize();
+
+  TestCompletionCallback handshake_callback;
+  int server_ret = server_socket_->Handshake(handshake_callback.callback());
+  EXPECT_EQ(server_ret, ERR_IO_PENDING);
+
+  TestCompletionCallback connect_callback;
+  int client_ret = client_socket_->Connect(connect_callback.callback());
+
+  EXPECT_EQ(ERR_BAD_SSL_CLIENT_AUTH_CERT,
+            connect_callback.GetResult(client_ret));
+  EXPECT_EQ(ERR_BAD_SSL_CLIENT_AUTH_CERT,
+            handshake_callback.GetResult(server_ret));
+
+  client_socket_->Disconnect();
+  server_socket_->Disconnect();
+
+  // Below, check that the cache didn't store the result of a failed handshake
+  Initialize();
+
+  TestCompletionCallback handshake_callback2;
+  int server_ret2 = server_socket_->Handshake(handshake_callback2.callback());
+  EXPECT_EQ(server_ret, ERR_IO_PENDING);
+
+  TestCompletionCallback connect_callback2;
+  int client_ret2 = client_socket_->Connect(connect_callback2.callback());
+
+  EXPECT_EQ(ERR_BAD_SSL_CLIENT_AUTH_CERT,
+            connect_callback2.GetResult(client_ret2));
+  EXPECT_EQ(ERR_BAD_SSL_CLIENT_AUTH_CERT,
+            handshake_callback2.GetResult(server_ret2));
+}
 #endif  // defined(USE_OPENSSL)
 
 TEST_F(SSLServerSocketTest, DataTransfer) {
   Initialize();
 
   // Establish connection.
   TestCompletionCallback connect_callback;
   int client_ret = client_socket_->Connect(connect_callback.callback());
   ASSERT_TRUE(client_ret == OK || client_ret == ERR_IO_PENDING);
 
@@ skipping 196 matching lines @@
   int server_ret = server_socket_->Handshake(handshake_callback.callback());
 
   client_ret = connect_callback.GetResult(client_ret);
   server_ret = handshake_callback.GetResult(server_ret);
 
   ASSERT_EQ(ERR_SSL_VERSION_OR_CIPHER_MISMATCH, client_ret);
   ASSERT_EQ(ERR_SSL_VERSION_OR_CIPHER_MISMATCH, server_ret);
 }
 
 }  // namespace net