mAllowTLSIntoleranceTimeout(PR_TRUE),\r
mRememberClientAuthCertificate(PR_FALSE),\r
mHandshakeStartTime(0),\r
- mPort(0)\r
+ mPort(0),\r
+ mIsCertIssuerBlacklisted(PR_FALSE)\r
{\r
mThreadData = new nsSSLSocketThreadData;\r
}\r
static SECStatus\r
nsNSSBadCertHandler(void *arg, PRFileDesc *sslSocket)\r
{\r
+ // cert was revoked, don't do anything else\r
+ // Calling cancel_and_failure is not necessary, and would be wrong,\r
+ // [for errors other than the ones explicitly handled below,] \r
+ // because it suppresses error reporting.\r
+ if (PR_GetError() == SEC_ERROR_REVOKED_CERTIFICATE)\r
+ return SECFailure;\r
+\r
nsNSSShutDownPreventionLock locker;\r
nsNSSSocketInfo* infoObject = (nsNSSSocketInfo *)arg;\r
if (!infoObject)\r
PR_Now(), (void*)infoObject, \r
verify_log, NULL);\r
\r
+ if (infoObject->IsCertIssuerBlacklisted()) {\r
+ collected_errors |= nsICertOverrideService::ERROR_UNTRUSTED;\r
+ }\r
+\r
// We ignore the result code of the cert verification.\r
// Either it is a failure, which is expected, and we'll process the\r
// verify log below.\r