Overriding CertOverrideService in xulrunner 10+

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Overriding CertOverrideService in xulrunner 10+

Yuriy Cherepko-2
Hi All.
I use xulrunner for embedding a mozilla-functionality in my app.
For my app I need some way to accept the site's security certificate
unconditionally without any certificate-error report dialogs.
For this reason I wrote my own implementation of the
nsICertOverrideService and was planning use it for temporary
certificates acception but
some logic in the CertErrorRunnable::CheckCertOverrides
(xulrunner-12.0b.6, security/manager/ssl/src/
SSLServerCertVerification.cpp) makes that impossible

Here is a part of code from SSLServerCertVerification.cpp ...

SSLServerCertVerificationResult *

        PRUint32 remaining_display_errors = mCollectedErrors;


    if (!strictTransportSecurityEnabled) {
    nsCOMPtr<nsICertOverrideService> overrideService =
    // it is fine to continue without the nsICertOverrideService

    PRUint32 overrideBits = 0;

    if (overrideService)
      bool haveOverride;
      bool isTemporaryOverride; // we don't care
      nsCString hostString(mInfoObject->GetHostName());
      nsrv = overrideService->HasMatchingOverride(hostString, port,
      if (NS_SUCCEEDED(nsrv) && haveOverride)
       // remove the errors that are already overriden
        remaining_display_errors -= overrideBits;
Here it would be nice to have a chance to accept the certificate
unconditionally, but
because of the "-=" operation, it is impossible

During a call of the HasMatchingOverride the remaining_display_errors
is not passed to the service and if the call returns "true" and it
sets all possible override bits to "1" then we have the next...

              remaining_display_errors  is 1 // untrusted certificate
              overrideBits is 7 // in the service we don't know what
happend and override all possible errors

              remaining_display_errors -= overrideBits
              if (! remaining_display_errors) { // FALSE !!!

              But if...

              remaining_display_errors &= (~overrideBits);
              if (! remaining_display_errors) { // it's OK

    if (!remaining_display_errors) {
      // all errors are covered by override rules, so let's accept the
             ("[%p][%p] All errors covered by override rules\n",
             mFdForLogging, this));
      return new SSLServerCertVerificationResult(*mInfoObject, 0);
  } else {


Is there some other way to accept site's certificate during first
connection attempt ?

dev-embedding mailing list
[hidden email]