Chromium Code Reviews
Help | Chromium Project | Sign in
(60)

Issue 276037: Provides a certificate for SSL client authentication on NSS sockets.... (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
5 years, 10 months ago by wtc
Modified:
4 years, 3 months ago
Reviewers:
Jaime Soriano
CC:
chromium-reviews_googlegroups.com, brettw+cc_chromium.org, darin (slow to review), jam, ben+cc_chromium.org
Visibility:
Public.

Description

Provides a certificate for SSL client authentication on NSS sockets. GUI is still missing, so certificates and private keys have to be stored manually, p.e.: $ pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12 Adds --auto-ssl-client-auth command-line option to enable this feature. Patch contributed by Jaime Soriano <jsorianopastor@gmail.com>;. Original review URL: http://codereview.chromium.org/220009 R=wtc BUG=16830 TEST=Try to connect to a web page that requires SSL authentication and confirm that it connects if and only if a valid certificate is stored in the ~/.pki/nssdb database. Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=29188

Patch Set 1 #

Patch Set 2 : Fix the copying of CERTDistNames #

Patch Set 3 : Use SSL_InvalidateSession. Declare variables at first use. #

Patch Set 4 : Support renegotiation. Some more cleanup. #

Patch Set 5 : Add Jaime to the AUTHORS file #

Patch Set 6 : Remove extern from chrome_switches.cc #

Unified diffs Side-by-side diffs Delta from patch set Stats (+154 lines, -3 lines) Patch
M AUTHORS View 5 1 chunk +1 line, -0 lines 0 comments Download
M chrome/browser/renderer_host/resource_dispatcher_host.cc View 2 chunks +9 lines, -0 lines 0 comments Download
M chrome/common/chrome_switches.h View 1 chunk +4 lines, -0 lines 0 comments Download
M chrome/common/chrome_switches.cc View 1 2 3 4 5 1 chunk +10 lines, -0 lines 0 comments Download
M net/socket/ssl_client_socket_nss.h View 1 2 3 3 chunks +13 lines, -0 lines 0 comments Download
M net/socket/ssl_client_socket_nss.cc View 1 2 3 10 chunks +117 lines, -3 lines 0 comments Download
Trybot results:
Project "None" does not have a commit queue.

Messages

Total messages: 4 (0 generated)
wtc
Jamie, Patch Set 1 is your latest patch, merged with the current tip of the ...
5 years, 10 months ago (2009-10-15 02:30:37 UTC) #1
wtc
Jaime, I fixed the copying of CERTDistNames. You can look at the delta between Patch ...
5 years, 10 months ago (2009-10-15 17:36:20 UTC) #2
Jaime Soriano
On 2009/10/15 17:36:20, wtc wrote: > Jaime, > > I fixed the copying of CERTDistNames. ...
5 years, 10 months ago (2009-10-15 18:27:26 UTC) #3
wtc
5 years, 10 months ago (2009-10-15 21:57:14 UTC) #4
On 2009/10/15 18:27:26, Jaime Soriano wrote:
>
> I neither like the manual copy, are you going to check this in? or should we
> wait and do it as I did in my third patch set?
> Should I create a new issue for this changes?

In the interest of time, I've checked in your current patch
after cleaning it up.  Please create a new issue to go back
to the original method of constructing the client_certs_
vector in ClientAuthHandler.

Note: I will be out of town next Monday to Wednesday
(19-21 October).

Re: SSL_ReHandshake: I figured out why you needed to call
it.  We can accomplish that better by using SSL_InvalidateSession.
I added a comment before the SSL_InvalidateSession call to
explain why it's necessary.

> > I also found that your code doesn't work with sites
> > that require SSL client authentication.  I should be able
> > to fix that.
> > 
> I use it daily to access to the private web sites of the company where I work
> without any problem... In which cases it doesn't work?

Some sites request but don't require SSL client auth.  If you
don't send a client cert, the SSL handshake will still succeed,
but the server won't allow you to access the resource that
requires client authentication.

If a site requires SSL client auth and you don't send a client
cert, the server will send an SSL "alert" message such as
"handshake_failure" and fail the handshake.  When this happens,
SSL_ForceHandshake fails with the
SSL_ERROR_HANDSHAKE_FAILURE_ALERT error code.

Since your original code is used only when SSL_ForceHandshake
succeeds, it doesn't handle the SSL_ForceHandshake failure case.
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld c33a7a4