On Jun 24, 2:14 pm, Pavel Ivanov <
paiv...@gmail.com> wrote:
> > I am pretty sure Chrome uses NSS (along with the operating system stack for
> > cryptography/SChannel (Windows), I think, though really not sure) for this.
>
> I believe Chrome stopped using SChannel long time ago. When it used
> SChannel I couldn't load some sites: Chrome said that certificate is
> bad and Events Viewer showed errors from SChannel. Then after some new
> major version was released (somewhere about 3 or 4) I stopped seeing
> those errors and all sites were shown without problems (though there
> still were problems in IE with the same link to SChannel).
>
> Pavel
PhistucK is correct - Chrome currently uses NSS across all supported
platforms to perform SSL/TLS by default. However, Certificate
validation/PKI path building happens with the native APIs when
available - CryptoAPI on Windows and CDSA/CSSM/Security Framework/
Keychain Services on OS X. Given the lack of a system-native
cryptographic store on Linux, NSS is used for that as well.
There is still a command-line flags available on Windows and Mac that
can cause it to fall back to the system SSL/TLS stacks (SSPI/SChannel
on Windows, SecureTransport on OS X) in order to work around certain
issues with client certificates and smart cards, but these aren't
actively tested as part of the testing framework and may experience
regressions from time to time. The flag is also useful in the event
it's necessary to use certain country-specific cipher suites not yet
supported within Chromium.
The cryptographic stack is currently built into chrome.dll. I believe
there is experimental work going on at to split some of this up into
it's own DLL (both a net.dll and possibly an NSS/NSPR DLL)
If you're asking in order to make modifications, the first place to
begin is at [1]. This depends on NSS's libssl, which Chromium
maintains a modified version of at [2]. Additional parts of NSS, and
of NSPR, are either linked to directly from the system/distro if on
Linux, or are maintained (with modifications) at [3] in the case of OS
X/Windows.
You can find more information about the upstream version within the
README.chromium files in [2] and [3].
[1]
http://codesearch.google.com/codesearch#OAMlx_jo-ck/src/net/socket/ssl_client_socket_nss.h
[2]
http://codesearch.google.com/codesearch#OAMlx_jo-ck/src/net/third_party/nss/
[3]
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/nss/