Update from https://crrev.com/304121

net/socket/ssl_client_socket_openssl.cc

Index: net/socket/ssl_client_socket_openssl.cc
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 9fdfe38ccdd335e8de867328f97f0beda5bb0931..57aa619105d95f67269834d14736c6a917ac8e29 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -140,6 +140,19 @@ int LogErrorCallback(const char* str, size_t len, void* context) {
   return 1;
 }
 
+bool IsOCSPStaplingSupported() {
+#if defined(OS_WIN)
+  // CERT_OCSP_RESPONSE_PROP_ID is only implemented on Vista+, but it can be
+  // set on Windows XP without error. There is some overhead from the server
+  // sending the OCSP response if it supports the extension, for the subset of
+  // XP clients who will request it but be unable to use it, but this is an
+  // acceptable trade-off for simplicity of implementation.
+  return true;
+#else
+  return false;
+#endif
+}
+
 }  // namespace
 
 class SSLClientSocketOpenSSL::SSLContext {
@@ -829,8 +842,8 @@ int SSLClientSocketOpenSSL::Init() {
     SSL_enable_ocsp_stapling(ssl_);
   }
 
-  // TODO(davidben): Enable OCSP stapling on platforms which support it and pass
-  // into the certificate verifier. https://crbug.com/398677
+  if (IsOCSPStaplingSupported())
+    SSL_enable_ocsp_stapling(ssl_);
 
   return OK;
 }
@@ -933,10 +946,16 @@ int SSLClientSocketOpenSSL::DoHandshake() {
                            ssl_config_.channel_id_enabled,
                            crypto::ECPrivateKey::IsSupported());
 
-    uint8_t* ocsp_response;
-    size_t ocsp_response_len;
-    SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len);
-    set_stapled_ocsp_response_received(ocsp_response_len != 0);
+    // Only record OCSP histograms if OCSP was requested.
+    if (ssl_config_.signed_cert_timestamps_enabled ||
+        IsOCSPStaplingSupported()) {
+      uint8_t* ocsp_response;
+      size_t ocsp_response_len;
+      SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len);
+
+      set_stapled_ocsp_response_received(ocsp_response_len != 0);
+      UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0);
+    }
 
     uint8_t* sct_list;
     size_t sct_list_len;
@@ -1166,6 +1185,31 @@ void SSLClientSocketOpenSSL::UpdateServerCert() {
         NetLog::TYPE_SSL_CERTIFICATES_RECEIVED,
         base::Bind(&NetLogX509CertificateCallback,
                    base::Unretained(server_cert_.get())));
+
+    // TODO(rsleevi): Plumb an OCSP response into the Mac system library and
+    // update IsOCSPStaplingSupported for Mac. https://crbug.com/430714
+    if (IsOCSPStaplingSupported()) {
+#if defined(OS_WIN)
+      uint8_t* ocsp_response_raw;
+      size_t ocsp_response_len;
+      SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len);
+
+      CRYPT_DATA_BLOB ocsp_response_blob;
+      ocsp_response_blob.cbData = ocsp_response_len;
+      ocsp_response_blob.pbData = ocsp_response_raw;
+      BOOL ok = CertSetCertificateContextProperty(
+          server_cert_->os_cert_handle(),
+          CERT_OCSP_RESPONSE_PROP_ID,
+          CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
+          &ocsp_response_blob);
+      if (!ok) {
+        VLOG(1) << "Failed to set OCSP response property: "
+                << GetLastError();
+      }
+#else
+      NOTREACHED();
+#endif
+    }
   }
 }
 
@@ -1567,6 +1611,8 @@ int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl) {
   DVLOG(3) << "OpenSSL ClientCertRequestCallback called";
   DCHECK(ssl == ssl_);
 
+  net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED);
+
   // Clear any currently configured certificates.
   SSL_certs_clear(ssl_);
 
@@ -1644,11 +1690,17 @@ int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl) {
       LOG(WARNING) << "Failed to set client certificate";
       return -1;
     }
+
+    int cert_count = 1 + sk_X509_num(chain.get());
+    net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
+                      NetLog::IntegerCallback("cert_count", cert_count));
     return 1;
   }
 #endif  // defined(OS_IOS)
 
   // Send no client certificate.
+  net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
+                    NetLog::IntegerCallback("cert_count", 0));
   return 1;
 }