| commit | 38c55d3a45cde047705782e49eb298715171f142 | [log] [tgz] |
|---|---|---|
| author | David Benjamin <[email protected]> | Mon Jan 10 18:59:10 2022 |
| committer | Chromium LUCI CQ <[email protected]> | Mon Jan 10 18:59:10 2022 |
| tree | 34e58047520d02af94df534ff734208199137230 | |
| parent | f0bfc2dec22a8edc3fb431f6b9fae3a68a5d972d [diff] [blame] |
Remove CERT_ERROR_IN_RENEGOTIATION Found a stray TODO. This was added in https://codereview.chromium.org/118410, at a time when we surfaced certificate errors out of SSLClientSocket::Read. However, we've since forbidden server certificates from changing altogether, to mitigate 3SHAKE (https://mitls.org/pages/attacks/3SHAKE) and generally simplify using TLS. As of https://boringssl-review.googlesource.com/c/boringssl/+/14028/ and https://boringssl-review.googlesource.com/c/boringssl/+/19665/, BoringSSL enforces the certificates match internally, and it will not even call the certificate verification callback on renegotiation. That means is not possible to get a certificate verification error outside the handshake. Change-Id: I840aa41606fe9566fffe5538068dc1658152ed65 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3353746 Reviewed-by: Matt Mueller <[email protected]> Reviewed-by: Richard Coles <[email protected]> Commit-Queue: David Benjamin <[email protected]> Cr-Commit-Position: refs/heads/main@{#957127}
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc index 18d8e83..26a2605a 100644 --- a/net/http/http_network_transaction.cc +++ b/net/http/http_network_transaction.cc
@@ -1094,19 +1094,11 @@ } int HttpNetworkTransaction::DoReadHeadersComplete(int result) { - // We can get a certificate error or ERR_SSL_CLIENT_AUTH_CERT_NEEDED here - // due to SSL renegotiation. - if (IsCertificateError(result)) { - // We don't handle a certificate error during SSL renegotiation, so we - // have to return an error that's not in the certificate error range - // (-2xx). - // - // TODO(davidben): Remove this error. This is impossible now that server - // certificates are forbidden from changing in renegotiation. - LOG(ERROR) << "Got a server certificate with error " << result - << " during SSL renegotiation"; - result = ERR_CERT_ERROR_IN_SSL_RENEGOTIATION; - } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { + // We can get a ERR_SSL_CLIENT_AUTH_CERT_NEEDED here due to SSL renegotiation. + // Server certificate errors are impossible. Rather than reverify the new + // server certificate, BoringSSL forbids server certificates from changing. + DCHECK(!IsCertificateError(result)); + if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { DCHECK(stream_.get()); DCHECK(IsSecureRequest()); response_.cert_request_info = base::MakeRefCounted<SSLCertRequestInfo>();