Allow vetoing successful SSL certificate verification #7914
Conversation
|
Thanks for picking this up.
It will happen after the verify call, you can look at this state machine https://cs.chromium.org/chromium/src/net/socket/ssl_client_socket_impl.cc?sq=package:chromium&l=1312.
This looks good, but instead of null we can just expect a second boolean argument whether to default to chromium verification result. This argument will be false by default to maintain backwards compatibility. I have some style changes to this PR locally, will push them today. |
|
@gregnolle have made the changes https://github.com/deepak1556/atom-shell/commits/veto-ssl-verify , if it looks good I can either push to your branch given the permission or create a new pull request. Thanks! |
|
@deepak1556 thanks very much for helping with this. I was hoping to find time during the week to work on it again, but didn't get the chance. Your implementation looks much better though. I'm happy to close off my pull request and you can do one for your branch. |
First go at resolving #7891.
/cc @deepak1556: Thanks for your guidance in the issue report. Would you mind taking a look at this and see if you can see any issues please? I removed the call into the CT delegate that I see you added in #7651 since I don't want to bypass CT checking. I'm not clear exactly when CT checking happens though (before or after the CertVerifier::Verify call?) and perhaps there should still be a way of bypassing it?
I thought about maybe changing the interpretation of the callback value to:
What do you think?