net: remove forced renegotiation checks

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 468 matching lines @@
       user_read_buf_len_(0),
       user_write_buf_len_(0),
       server_cert_nss_(NULL),
       server_cert_verify_result_(NULL),
       ssl_connection_status_(0),
       client_auth_cert_needed_(false),
       cert_verifier_(cert_verifier),
       handshake_callback_called_(false),
       completed_handshake_(false),
       pseudo_connected_(false),
       eset_mitm_detected_(false),

[wtc, 2011/04/05 17:20:03]

I guess we should keep eset_mitm_detected_ because it handles
a different problem (false start incompatibility)?

(I searched for "mitm", "MITM" in the source tree to see if
we missed any file.)

[agl, 2011/04/05 19:55:41]

Yes, we still need the ESET MITM code.

       predicted_cert_chain_correct_(false),
       peername_initialized_(false),
       dnssec_provider_(NULL),
       next_handshake_state_(STATE_NONE),
       nss_fd_(NULL),
       nss_bufs_(NULL),
       net_log_(transport_socket->socket()->NetLog()),
       predicted_npn_status_(kNextProtoUnsupported),
       predicted_npn_proto_used_(false),
       ssl_host_info_(ssl_host_info),
@@ skipping 476 matching lines @@
 #ifdef SSL_ENABLE_SNAP_START
   // TODO(agl): check that SSL_ENABLE_SNAP_START actually does something in the
   // current NSS code.
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SNAP_START,
                      ssl_config_.snap_start_enabled);
   if (rv != SECSuccess)
     VLOG(1) << "SSL_ENABLE_SNAP_START failed.  Old system nss?";
 #endif
 
 #ifdef SSL_ENABLE_RENEGOTIATION
-  // Deliberately disable this check for now: http://crbug.com/55410
-  if (false &&
-      SSLConfigService::IsKnownStrictTLSServer(host_and_port_.host()) &&
-      !ssl_config_.mitm_proxies_allowed) {

[wtc, 2011/04/05 17:20:03]

Hmm... so this code has been disabled (by the 'false') for
a while...

-    rv = SSL_OptionSet(nss_fd_, SSL_REQUIRE_SAFE_NEGOTIATION, PR_TRUE);
-    if (rv != SECSuccess) {
-      LogFailedNSSFunction(
-          net_log_, "SSL_OptionSet", "SSL_REQUIRE_SAFE_NEGOTIATION");
-    }
-    rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,
-                       SSL_RENEGOTIATE_REQUIRES_XTN);
-  } else {
-    // We allow servers to request renegotiation. Since we're a client,
-    // prohibiting this is rather a waste of time. Only servers are in a
-    // position to prevent renegotiation attacks.
-    // http://extendedsubset.com/?p=8
+  // We allow servers to request renegotiation. Since we're a client,
+  // prohibiting this is rather a waste of time. Only servers are in a
+  // position to prevent renegotiation attacks.
+  // http://extendedsubset.com/?p=8
 
-    rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,
-                       SSL_RENEGOTIATE_TRANSITIONAL);
-  }
+  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,
+                     SSL_RENEGOTIATE_TRANSITIONAL);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(
         net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
   }
 #endif  // SSL_ENABLE_RENEGOTIATION
 
 #ifdef SSL_NEXT_PROTO_NEGOTIATED
   if (!ssl_config_.next_protos.empty()) {
     rv = SSL_SetNextProtoNego(
        nss_fd_,
@@ skipping 1525 matching lines @@
   valid_thread_id_ = base::PlatformThread::CurrentId();
 }
 
 bool SSLClientSocketNSS::CalledOnValidThread() const {
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 }  // namespace net