Hi All.
I use xulrunner for embedding a mozilla-functionality in my app.
For my app I need some way to accept the site's security certificate
unconditionally without any certificate-error report dialogs.
For this reason I wrote my own implementation of the
nsICertOverrideService and was planning use it for temporary
certificates acception but
some logic in the CertErrorRunnable::CheckCertOverrides
(xulrunner-12.0b.6, security/manager/ssl/src/
SSLServerCertVerification.cpp) makes that impossible
Here is a part of code from SSLServerCertVerification.cpp ...
SSLServerCertVerificationResult *
CertErrorRunnable::CheckCertOverrides()
{
....
PRUint32 remaining_display_errors = mCollectedErrors;
....
if (!strictTransportSecurityEnabled) {
nsCOMPtr<nsICertOverrideService> overrideService =
do_GetService(NS_CERTOVERRIDE_CONTRACTID);
// it is fine to continue without the nsICertOverrideService
PRUint32 overrideBits = 0;
if (overrideService)
{
bool haveOverride;
bool isTemporaryOverride; // we don't care
nsCString hostString(mInfoObject->GetHostName());
nsrv = overrideService->HasMatchingOverride(hostString, port,
mCert,
&overrideBits,
&isTemporaryOverride,
&haveOverride);
if (NS_SUCCEEDED(nsrv) && haveOverride)
{
// remove the errors that are already overriden
remaining_display_errors -= overrideBits;
/*
Here it would be nice to have a chance to accept the certificate
unconditionally, but
because of the "-=" operation, it is impossible
During a call of the HasMatchingOverride the remaining_display_errors
is not passed to the service and if the call returns "true" and it
sets all possible override bits to "1" then we have the next...
remaining_display_errors is 1 // untrusted certificate
overrideBits is 7 // in the service we don't know what
happend and override all possible errors
remaining_display_errors -= overrideBits
if (! remaining_display_errors) { // FALSE !!!
But if...
remaining_display_errors &= (~overrideBits);
if (! remaining_display_errors) { // it's OK
*/
}
}
if (!remaining_display_errors) {
// all errors are covered by override rules, so let's accept the
cert
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
("[%p][%p] All errors covered by override rules\n",
mFdForLogging, this));
return new SSLServerCertVerificationResult(*mInfoObject, 0);
}
} else {
....
}
Is there some other way to accept site's certificate during first
connection attempt ?
_______________________________________________
dev-embedding mailing list
dev-embedding@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-embedding
