5 files changed, 107 insertions, 1 deletions

diff --git a/src/core/profile_adapter.cpp b/src/core/profile_adapter.cpp
index 86b16fd2c..57bf3e752 100644
--- a/src/core/profile_adapter.cpp
+++ b/src/core/profile_adapter.cpp
@@ -48,6 +48,7 @@
 #include "download_manager_delegate_qt.h"
 #include "net/url_request_context_getter_qt.h"
 #include "permission_manager_qt.h"
+#include "profile_adapter_client.h"
 #include "profile_qt.h"
 #include "renderer_host/user_resource_controller_host.h"
 #include "type_conversion.h"
@@ -546,4 +547,34 @@ void ProfileAdapter::resetVisitedLinksManager()
     m_visitedLinksManager.reset(new VisitedLinksManagerQt(this));
 }
 
+void ProfileAdapter::setUseForGlobalCertificateVerification(bool enable)
+{
+    if (m_usedForGlobalCertificateVerification == enable)
+        return;
+
+    static QPointer<ProfileAdapter> profileForglobalCertificateVerification;
+
+    m_usedForGlobalCertificateVerification = enable;
+    if (enable) {
+        if (profileForglobalCertificateVerification) {
+            profileForglobalCertificateVerification->m_usedForGlobalCertificateVerification = false;
+            for (auto *client : qAsConst(profileForglobalCertificateVerification->m_clients))
+                client->useForGlobalCertificateVerificationChanged();
+        }
+        profileForglobalCertificateVerification = this;
+    } else {
+        Q_ASSERT(profileForglobalCertificateVerification);
+        Q_ASSERT(profileForglobalCertificateVerification == this);
+        profileForglobalCertificateVerification = nullptr;
+    }
+
+    if (m_profile->m_urlRequestContextGetter.get())
+        m_profile->m_profileIOData->updateUsedForGlobalCertificateVerification();
+}
+
+bool ProfileAdapter::isUsedForGlobalCertificateVerification() const
+{
+    return m_usedForGlobalCertificateVerification;
+}
+
 } // namespace QtWebEngineCore
diff --git a/src/core/profile_adapter.h b/src/core/profile_adapter.h
index 65843eda3..19a56d2a7 100644
--- a/src/core/profile_adapter.h
+++ b/src/core/profile_adapter.h
@@ -186,12 +186,16 @@ public:
 
     void clearHttpCache();
 
+    void setUseForGlobalCertificateVerification(bool enable = true);
+    bool isUsedForGlobalCertificateVerification() const;
+
 private:
     void updateCustomUrlSchemeHandlers();
     void resetVisitedLinksManager();
 
     QString m_name;
     bool m_offTheRecord;
+    bool m_usedForGlobalCertificateVerification = false;
     QScopedPointer<ProfileQt> m_profile;
     QScopedPointer<VisitedLinksManagerQt> m_visitedLinksManager;
     QScopedPointer<DownloadManagerDelegateQt> m_downloadManagerDelegate;
diff --git a/src/core/profile_adapter_client.h b/src/core/profile_adapter_client.h
index 06051fab6..4711f8bcf 100644
--- a/src/core/profile_adapter_client.h
+++ b/src/core/profile_adapter_client.h
@@ -142,6 +142,7 @@ public:
 
     virtual void downloadRequested(DownloadItemInfo &info) = 0;
     virtual void downloadUpdated(const DownloadItemInfo &info) = 0;
+    virtual void useForGlobalCertificateVerificationChanged() {}
     static QString downloadInterruptReasonToString(DownloadInterruptReason reason);
 };
 
diff --git a/src/core/profile_io_data_qt.cpp b/src/core/profile_io_data_qt.cpp
index fdd9a881c..ad8c2a110 100644
--- a/src/core/profile_io_data_qt.cpp
+++ b/src/core/profile_io_data_qt.cpp
@@ -85,6 +85,15 @@
 #include "resource_context_qt.h"
 #include "type_conversion.h"
 
+#if defined(USE_NSS_CERTS)
+#include "net/cert_net/nss_ocsp.h"
+#endif
+
+#if defined(OS_LINUX) || defined(OS_MACOSX)
+#include "net/cert/cert_net_fetcher.h"
+#include "net/cert_net/cert_net_fetcher_impl.h"
+#endif
+
 namespace QtWebEngineCore {
 
 static const char* const kDefaultAuthSchemes[] = { net::kBasicAuthScheme,
@@ -170,6 +179,16 @@ ProfileIODataQt::~ProfileIODataQt()
 {
     if (content::BrowserThread::IsThreadInitialized(content::BrowserThread::IO))
         DCHECK_CURRENTLY_ON(content::BrowserThread::IO);
+
+    if (m_useForGlobalCertificateVerification) {
+#if defined(USE_NSS_CERTS)
+        net::SetURLRequestContextForNSSHttpIO(nullptr);
+#endif
+#if defined(OS_LINUX) ||defined(OS_MACOSX)
+        net::ShutdownGlobalCertNetFetcher();
+#endif
+    }
+
     m_resourceContext.reset();
     if (m_cookieDelegate)
         m_cookieDelegate->setCookieMonster(0); // this will let CookieMonsterDelegateQt be deleted
@@ -212,6 +231,7 @@ void ProfileIODataQt::initializeOnIOThread()
     m_initialized = true;
     generateAllStorage();
     generateJobFactory();
+    setGlobalCertificateVerification();
 }
 
 void ProfileIODataQt::initializeOnUIThread()
@@ -254,6 +274,26 @@ void ProfileIODataQt::generateAllStorage()
     m_updateAllStorage = false;
 }
 
+class SSLConfigServiceQt : public net::SSLConfigService {
+public:
+    SSLConfigServiceQt()
+    {
+        // Enable revocation checking:
+        m_defaultConfig.rev_checking_enabled = true;
+        // Mirroring Android WebView (we have no beef with Symantec, and our users might use them):
+        m_defaultConfig.symantec_enforcement_disabled = true;
+    }
+    ~SSLConfigServiceQt() override = default;
+
+    void GetSSLConfig(net::SSLConfig* config) override
+    {
+        *config = m_defaultConfig;
+    }
+
+private:
+    net::SSLConfig m_defaultConfig;
+};
+
 void ProfileIODataQt::generateStorage()
 {
     Q_ASSERT(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
@@ -297,7 +337,7 @@ void ProfileIODataQt::generateStorage()
                                                 nullptr /* NetLog */,
                                                 m_networkDelegate.get()));
 
-    m_storage->set_ssl_config_service(std::make_unique<net::SSLConfigServiceDefaults>());
+    m_storage->set_ssl_config_service(std::make_unique<SSLConfigServiceQt>());
     m_storage->set_transport_security_state(std::unique_ptr<net::TransportSecurityState>(
                                                 new net::TransportSecurityState()));
 
@@ -543,6 +583,21 @@ void ProfileIODataQt::regenerateJobFactory()
     }
 }
 
+void ProfileIODataQt::setGlobalCertificateVerification()
+{
+    Q_ASSERT(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+    QMutexLocker lock(&m_mutex);
+    if (m_useForGlobalCertificateVerification) {
+#if defined(USE_NSS_CERTS)
+        // Set request context used by NSS for OCSP requests.
+        net::SetURLRequestContextForNSSHttpIO(m_urlRequestContext.get());
+#endif
+#if defined(OS_LINUX) || defined(OS_MACOSX)
+        net::SetGlobalCertNetFetcher(net::CreateCertNetFetcher(m_urlRequestContext.get()));
+#endif
+    }
+}
+
 void ProfileIODataQt::setRequestContextData(content::ProtocolHandlerMap *protocolHandlers,
                                             content::URLRequestInterceptorScopedVector request_interceptors)
 {
@@ -565,6 +620,7 @@ void ProfileIODataQt::setFullConfiguration()
     m_httpCachePath = m_profileAdapter->httpCachePath();
     m_httpCacheMaxSize = m_profileAdapter->httpCacheMaxSize();
     m_customUrlSchemes = m_profileAdapter->customUrlSchemes();
+    m_useForGlobalCertificateVerification = m_profileAdapter->isUsedForGlobalCertificateVerification();
 }
 
 void ProfileIODataQt::updateStorageSettings()
@@ -692,4 +748,15 @@ bool ProfileIODataQt::canGetCookies(const QUrl &firstPartyUrl, const QUrl &url)
     return m_cookieDelegate->canGetCookies(firstPartyUrl, url);
 }
 
+void ProfileIODataQt::updateUsedForGlobalCertificateVerification()
+{
+    Q_ASSERT(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI));
+    QMutexLocker lock(&m_mutex);
+    m_useForGlobalCertificateVerification = m_profileAdapter->isUsedForGlobalCertificateVerification();
+
+    if (m_useForGlobalCertificateVerification)
+        content::BrowserThread::PostTask(content::BrowserThread::IO, FROM_HERE,
+                                         base::Bind(&ProfileIODataQt::setGlobalCertificateVerification, m_weakPtr));
+}
+
 } // namespace QtWebEngineCore
diff --git a/src/core/profile_io_data_qt.h b/src/core/profile_io_data_qt.h
index 7c4dae14b..3eb456e6e 100644
--- a/src/core/profile_io_data_qt.h
+++ b/src/core/profile_io_data_qt.h
@@ -91,6 +91,7 @@ public:
     QWebEngineUrlRequestInterceptor *requestInterceptor();
     bool canSetCookie(const QUrl &firstPartyUrl, const QByteArray &cookieLine, const QUrl &url) const;
     bool canGetCookies(const QUrl &firstPartyUrl, const QUrl &url) const;
+    void setGlobalCertificateVerification();
 
     void setRequestContextData(content::ProtocolHandlerMap *protocolHandlers,
                                content::URLRequestInterceptorScopedVector request_interceptors);
@@ -101,6 +102,7 @@ public:
     void updateHttpCache(); // runs on ui thread
     void updateJobFactory(); // runs on ui thread
     void updateRequestInterceptor(); // runs on ui thread
+    void updateUsedForGlobalCertificateVerification(); // runs on ui thread
 
 private:
     ProfileQt *m_profile;
@@ -140,6 +142,7 @@ private:
     bool m_updateJobFactory = false;
     bool m_updateUserAgent = false;
     bool m_ignoreCertificateErrors = false;
+    bool m_useForGlobalCertificateVerification = false;
     base::WeakPtrFactory<ProfileIODataQt> m_weakPtrFactory; // this should be always the last member
     DISALLOW_COPY_AND_ASSIGN(ProfileIODataQt);
 };