Hi All. I use xulrunner for embedding a mozilla-functionality in my app. For my app I need some way to accept the site's security certificate unconditionally without any certificate-error report dialogs. For this reason I wrote my own implementation of the nsICertOverrideService and was planning use it for temporary certificates acception but some logic in the CertErrorRunnable::CheckCertOverrides (xulrunner-12.0b.6, security/manager/ssl/src/ SSLServerCertVerification.cpp) makes that impossible
Here is a part of code from SSLServerCertVerification.cpp ... SSLServerCertVerificationResult * CertErrorRunnable::CheckCertOverrides() { .... PRUint32 remaining_display_errors = mCollectedErrors; .... if (!strictTransportSecurityEnabled) { nsCOMPtr<nsICertOverrideService> overrideService = do_GetService(NS_CERTOVERRIDE_CONTRACTID); // it is fine to continue without the nsICertOverrideService PRUint32 overrideBits = 0; if (overrideService) { bool haveOverride; bool isTemporaryOverride; // we don't care nsCString hostString(mInfoObject->GetHostName()); nsrv = overrideService->HasMatchingOverride(hostString, port, mCert, &overrideBits, &isTemporaryOverride, &haveOverride); if (NS_SUCCEEDED(nsrv) && haveOverride) { // remove the errors that are already overriden remaining_display_errors -= overrideBits; /* Here it would be nice to have a chance to accept the certificate unconditionally, but because of the "-=" operation, it is impossible During a call of the HasMatchingOverride the remaining_display_errors is not passed to the service and if the call returns "true" and it sets all possible override bits to "1" then we have the next... remaining_display_errors is 1 // untrusted certificate overrideBits is 7 // in the service we don't know what happend and override all possible errors remaining_display_errors -= overrideBits if (! remaining_display_errors) { // FALSE !!! But if... remaining_display_errors &= (~overrideBits); if (! remaining_display_errors) { // it's OK */ } } if (!remaining_display_errors) { // all errors are covered by override rules, so let's accept the cert PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("[%p][%p] All errors covered by override rules\n", mFdForLogging, this)); return new SSLServerCertVerificationResult(*mInfoObject, 0); } } else { .... } Is there some other way to accept site's certificate during first connection attempt ? _______________________________________________ dev-embedding mailing list dev-embedding@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-embedding