# HG changeset patch
# Parent 182ca077d392c4bc7ce87475e94061b315c7fc26
# User Patrick McManus <mcmanus@ducksong.com>
bug 696531 - disble client ssl certs with spdy 
patch 16

diff --git a/security/manager/ssl/src/nsNSSIOLayer.cpp b/security/manager/ssl/src/nsNSSIOLayer.cpp
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -2816,16 +2816,36 @@ SECStatus nsNSS_SSLGetClientAuthData(voi
   CERTCertificate* serverCert = SSL_PeerCertificate(socket);
   if (!serverCert) {
     NS_NOTREACHED("Missing server certificate should have been detected during "
                   "server cert authentication.");
     PR_SetError(SSL_ERROR_NO_CERTIFICATE, 0);
     return SECFailure;
   }
 
+  // Right now spdy is not allowed to use client certs.
+  // See BlockServerCertChangeForSpdy for a similar restriction.
+  SSLNextProtoState npnState;
+  unsigned char npnBuf[256];
+  unsigned int npnLen;
+
+  // The NextProto information is valid anytime after Server Hello
+  SECStatus srv = SSL_GetNextProto(socket, &npnState, npnBuf, &npnLen, 256);
+  if (srv != SECSuccess)
+    return srv;
+
+  if (npnState == SSL_NEXT_PROTO_NEGOTIATED &&
+      npnLen == 6 && !memcmp(npnBuf, "spdy/2", 6)) {
+    PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
+           ("[socket=%p] Not returning client cert due to npn=spdy/2\n", socket));
+    *pRetCert = nsnull;
+    *pRetKey = nsnull;
+    return SECSuccess;
+  }
+
   // XXX: This should be done asynchronously; see bug 696976
   nsRefPtr<ClientAuthDataRunnable> runnable =
     new ClientAuthDataRunnable(caNames, pRetCert, pRetKey, info, serverCert);
   nsresult rv = runnable->DispatchToMainThreadAndWait();
   if (NS_FAILED(rv)) {
     PR_SetError(SEC_ERROR_NO_MEMORY, 0);
     return SECFailure;
   }