Chromium Code Reviews
Help | Chromium Project | Sign in
(601)

Issue 276037: Provides a certificate for SSL client authentication on NSS sockets.... (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
4 years, 6 months ago by wtc
Modified:
2 years, 11 months ago
Reviewers:
Jaime Soriano
CC:
chromium-reviews_googlegroups.com, brettw+cc_chromium.org, darin, jam, ben+cc_chromium.org
Visibility:
Public.

Description

Provides a certificate for SSL client authentication on NSS sockets.
GUI is still missing, so certificates and private keys have to be
stored manually, p.e.:
$ pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12
Adds --auto-ssl-client-auth command-line option to enable this feature.

Patch contributed by Jaime Soriano <jsorianopastor@gmail.com>;.
Original review URL: http://codereview.chromium.org/220009

R=wtc
BUG=16830
TEST=Try to connect to a web page that requires SSL authentication and
confirm that it connects if and only if a valid certificate is stored in
the ~/.pki/nssdb database.

Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=29188

Patch Set 1 #

Patch Set 2 : Fix the copying of CERTDistNames #

Patch Set 3 : Use SSL_InvalidateSession. Declare variables at first use. #

Patch Set 4 : Support renegotiation. Some more cleanup. #

Patch Set 5 : Add Jaime to the AUTHORS file #

Patch Set 6 : Remove extern from chrome_switches.cc #

Unified diffs Side-by-side diffs Delta from patch set Stats (+154 lines, -3 lines) Lint Patch
M AUTHORS View 5 1 chunk +1 line, -0 lines 0 comments 0 errors Download
M chrome/browser/renderer_host/resource_dispatcher_host.cc View 2 chunks +9 lines, -0 lines 0 comments 0 errors Download
M chrome/common/chrome_switches.h View 1 chunk +4 lines, -0 lines 0 comments 0 errors Download
M chrome/common/chrome_switches.cc View 1 2 3 4 5 1 chunk +10 lines, -0 lines 0 comments 0 errors Download
M net/socket/ssl_client_socket_nss.h View 1 2 3 3 chunks +13 lines, -0 lines 0 comments 0 errors Download
M net/socket/ssl_client_socket_nss.cc View 1 2 3 10 chunks +117 lines, -3 lines 0 comments 0 errors Download
Trybot results:
Commit:

Messages

Total messages: 4
wtc
Jamie, Patch Set 1 is your latest patch, merged with the current tip of the ...
4 years, 6 months ago #1
wtc
Jaime, I fixed the copying of CERTDistNames. You can look at the delta between Patch ...
4 years, 6 months ago #2
Jaime Soriano
On 2009/10/15 17:36:20, wtc wrote: > Jaime, > > I fixed the copying of CERTDistNames. ...
4 years, 6 months ago #3
wtc
4 years, 6 months ago #4
On 2009/10/15 18:27:26, Jaime Soriano wrote:
>
> I neither like the manual copy, are you going to check this in? or should we
> wait and do it as I did in my third patch set?
> Should I create a new issue for this changes?

In the interest of time, I've checked in your current patch
after cleaning it up.  Please create a new issue to go back
to the original method of constructing the client_certs_
vector in ClientAuthHandler.

Note: I will be out of town next Monday to Wednesday
(19-21 October).

Re: SSL_ReHandshake: I figured out why you needed to call
it.  We can accomplish that better by using SSL_InvalidateSession.
I added a comment before the SSL_InvalidateSession call to
explain why it's necessary.

> > I also found that your code doesn't work with sites
> > that require SSL client authentication.  I should be able
> > to fix that.
> > 
> I use it daily to access to the private web sites of the company where I work
> without any problem... In which cases it doesn't work?

Some sites request but don't require SSL client auth.  If you
don't send a client cert, the SSL handshake will still succeed,
but the server won't allow you to access the resource that
requires client authentication.

If a site requires SSL client auth and you don't send a client
cert, the server will send an SSL "alert" message such as
"handshake_failure" and fail the handshake.  When this happens,
SSL_ForceHandshake fails with the
SSL_ERROR_HANDSHAKE_FAILURE_ALERT error code.

Since your original code is used only when SSL_ForceHandshake
succeeds, it doesn't handle the SSL_ForceHandshake failure case.
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld 1280:2d3e6564b7b6