Change the bad-certificate handler for SSL (using NSS) to return an...

net/base/ssl_config_service.h

Index: net/base/ssl_config_service.h
===================================================================
--- net/base/ssl_config_service.h	(revision 12708)
+++ net/base/ssl_config_service.h	(working copy)
@@ -5,7 +5,10 @@
 #ifndef NET_BASE_SSL_CONFIG_SERVICE_H__
 #define NET_BASE_SSL_CONFIG_SERVICE_H__
 
+#include <set>
+
 #include "base/time.h"
+#include "net/base/x509_certificate.h"
 
 namespace net {
 
@@ -23,6 +26,12 @@
   bool ssl2_enabled;  // True if SSL 2.0 is enabled.
   bool ssl3_enabled;  // True if SSL 3.0 is enabled.
   bool tls1_enabled;  // True if TLS 1.0 is enabled.
+
+  // Add any known-bad SSL certificates to allowed_bad_certs_ that should not
+  // trigger an ERR_CERT_*_INVALID error when calling SSLClientSocket::Connect.

[wtc, 2009/03/30 18:18:57]

Nit: the error should be just ERR_CERT_* because not all
certificate error codes end in _INVALID.  Alternatively you
can just say "a certificate error".

+  // This would normally be done in response to the user explicitly accepting
+  // the bad certificate.
+  std::set<scoped_refptr<X509Certificate> > allowed_bad_certs_;
 };
 
 // This class is responsible for getting and setting the SSL configuration.