-
davidben authored
NSS used to build a chain internally in the SSL stack which got lost when switching to BoringSSL. Align with other platforms by building the chain externally in ClientCertStoreNSS. Although this is inherently somewhat flaky, some servers do not have intermediates configured locally and expect the client to supply them. This modifies (really completely rewrites) our bundled NSS_CmpCertChainWCANames to return the chain it found. That is returned out of ClientCertStoreNSS. Note that this is not completely the same as the old behavior. Rather than building as much of a path as we can manage from the leaf, we will stop at the issuer list supplied by the server. It is assumed that the server accepts the issuers it claims to accept. We also only do name-based matching (which we were doing anyway) to avoid adding a more expensive global operation in the candidate matching path. In doing so, this syncs NSS with other platforms in removing the ancient workaround for Netscape Enterprise Server 2.0, released in 1996. Tested with unit tests and also manually against a custom Go server. BUG=548631 Review-Url: https://codereview.chromium.org/2185403003 Cr-Commit-Position: refs/heads/master@{#408647}
8d569f59
