Chromium Code Reviews
Help | Chromium Project | Sign in

Issue 276037: Provides a certificate for SSL client authentication on NSS sockets.... (Closed)

Can't Edit
Can't Publish+Mail
Start Review
7 years ago by wtc
5 years, 5 months ago
Jaime Soriano
CC:,, darin (slow to review), jam,


Provides a certificate for SSL client authentication on NSS sockets. GUI is still missing, so certificates and private keys have to be stored manually, p.e.: $ pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12 Adds --auto-ssl-client-auth command-line option to enable this feature. Patch contributed by Jaime Soriano <>;. Original review URL: R=wtc BUG=16830 TEST=Try to connect to a web page that requires SSL authentication and confirm that it connects if and only if a valid certificate is stored in the ~/.pki/nssdb database. Committed:

Patch Set 1 #

Patch Set 2 : Fix the copying of CERTDistNames #

Patch Set 3 : Use SSL_InvalidateSession. Declare variables at first use. #

Patch Set 4 : Support renegotiation. Some more cleanup. #

Patch Set 5 : Add Jaime to the AUTHORS file #

Patch Set 6 : Remove extern from #

Unified diffs Side-by-side diffs Delta from patch set Stats (+154 lines, -3 lines) Patch
M AUTHORS View 5 1 chunk +1 line, -0 lines 0 comments Download
M chrome/browser/renderer_host/ View 2 chunks +9 lines, -0 lines 0 comments Download
M chrome/common/chrome_switches.h View 1 chunk +4 lines, -0 lines 0 comments Download
M chrome/common/ View 1 2 3 4 5 1 chunk +10 lines, -0 lines 0 comments Download
M net/socket/ssl_client_socket_nss.h View 1 2 3 3 chunks +13 lines, -0 lines 0 comments Download
M net/socket/ View 1 2 3 10 chunks +117 lines, -3 lines 0 comments Download
Trybot results:
Commit queue not available (can’t edit this change).


Total messages: 4 (0 generated)
Jamie, Patch Set 1 is your latest patch, merged with the current tip of the ...
7 years ago (2009-10-15 02:30:37 UTC) #1
Jaime, I fixed the copying of CERTDistNames. You can look at the delta between Patch ...
7 years ago (2009-10-15 17:36:20 UTC) #2
Jaime Soriano
On 2009/10/15 17:36:20, wtc wrote: > Jaime, > > I fixed the copying of CERTDistNames. ...
7 years ago (2009-10-15 18:27:26 UTC) #3
7 years ago (2009-10-15 21:57:14 UTC) #4
On 2009/10/15 18:27:26, Jaime Soriano wrote:
> I neither like the manual copy, are you going to check this in? or should we
> wait and do it as I did in my third patch set?
> Should I create a new issue for this changes?

In the interest of time, I've checked in your current patch
after cleaning it up.  Please create a new issue to go back
to the original method of constructing the client_certs_
vector in ClientAuthHandler.

Note: I will be out of town next Monday to Wednesday
(19-21 October).

Re: SSL_ReHandshake: I figured out why you needed to call
it.  We can accomplish that better by using SSL_InvalidateSession.
I added a comment before the SSL_InvalidateSession call to
explain why it's necessary.

> > I also found that your code doesn't work with sites
> > that require SSL client authentication.  I should be able
> > to fix that.
> > 
> I use it daily to access to the private web sites of the company where I work
> without any problem... In which cases it doesn't work?

Some sites request but don't require SSL client auth.  If you
don't send a client cert, the SSL handshake will still succeed,
but the server won't allow you to access the resource that
requires client authentication.

If a site requires SSL client auth and you don't send a client
cert, the server will send an SSL "alert" message such as
"handshake_failure" and fail the handshake.  When this happens,
SSL_ForceHandshake fails with the

Since your original code is used only when SSL_ForceHandshake
succeeds, it doesn't handle the SSL_ForceHandshake failure case.
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld 9387bc4