Bugzilla

(In reply to Dana Keeler [:keeler] (use needinfo?) from comment #40)
> Comment on attachment 8903248 [details] [diff] [review]
> v4
> 
> Review of attachment 8903248 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> This looks like it works for the simple case. I'm not sure about the proxy
> case, though (e.g. authenticating to the proxy vs authenticating to a server
> through a proxy?)

I think what the psm info objects hold in hostname and port is the end node and it's more or less transparent what they are talking to.

More I think of it, I believe the code in nsHttpConnectionMgr::DontPreconnect may be wrong, we should test for both proxy OR origin match and don't preconnect if any of it (origin or proxy) matches the host asking a client cert.

Note that we only support https proxies and we do support ssl through ssl.  Hence, a conn entry that has proxy asking a client cert OR a server (behind that proxy) asking a client cert should both not be preconnected.

> I'm also looking at how we can test this.
> 
> ::: security/manager/ssl/nsNSSIOLayer.cpp
> @@ +2068,5 @@
> > +    nsCOMPtr<nsIHttpProtocolHandler> handler(
> > +      do_GetService(NS_NETWORK_PROTOCOL_CONTRACTID_PREFIX "http"));
> > +
> > +    if (handler) {
> > +      handler->DontPreconnect(info->GetHostName(), info->GetPort());
> 
> I have to think this one through. I'm not sure what the right answer is.


I will try to find time to update the patch according the comment above yet today, but this is the last day I have.  Then I'm ooo till 09-18.