1diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c 2--- a/nss/lib/ssl/ssl3con.c 2013-07-31 12:40:14.493586151 -0700 3+++ b/nss/lib/ssl/ssl3con.c 2013-07-31 12:42:42.035748760 -0700 4@@ -6544,6 +6544,9 @@ ssl3_HandleCertificateRequest(sslSocket 5 if (rv != SECSuccess) 6 goto loser; /* malformed, alert has been sent */ 7 8+ PORT_Assert(!ss->requestedCertTypes); 9+ ss->requestedCertTypes = &cert_types; 10+ 11 if (isTLS12) { 12 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length); 13 if (rv != SECSuccess) 14@@ -6743,6 +6746,7 @@ loser: 15 PORT_SetError(errCode); 16 rv = SECFailure; 17 done: 18+ ss->requestedCertTypes = NULL; 19 if (arena != NULL) 20 PORT_FreeArena(arena, PR_FALSE); 21 #ifdef NSS_PLATFORM_CLIENT_AUTH 22diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h 23--- a/nss/lib/ssl/ssl.h 2013-07-31 12:40:53.784162112 -0700 24+++ b/nss/lib/ssl/ssl.h 2013-07-31 12:41:57.515096255 -0700 25@@ -732,6 +732,16 @@ SSL_IMPORT SECStatus SSL_ReHandshakeWith 26 PRBool flushCache, 27 PRIntervalTime timeout); 28 29+/* Returns a SECItem containing the certificate_types field of the 30+** CertificateRequest message. Each byte of the data is a TLS 31+** ClientCertificateType value, and they are ordered from most preferred to 32+** least. This function should only be called from the 33+** SSL_GetClientAuthDataHook callback, and will return NULL if called at any 34+** other time. The returned value is valid only until the callback returns, and 35+** should not be freed. 36+*/ 37+SSL_IMPORT const SECItem * 38+SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd); 39 40 #ifdef SSL_DEPRECATED_FUNCTION 41 /* deprecated! 42diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h 43--- a/nss/lib/ssl/sslimpl.h 2013-07-31 12:40:14.503586299 -0700 44+++ b/nss/lib/ssl/sslimpl.h 2013-07-31 12:41:57.515096255 -0700 45@@ -1168,6 +1168,10 @@ struct sslSocketStr { 46 unsigned int sizeCipherSpecs; 47 const unsigned char * preferredCipher; 48 49+ /* TLS ClientCertificateTypes requested during HandleCertificateRequest. */ 50+ /* Will be NULL at all other times. */ 51+ const SECItem *requestedCertTypes; 52+ 53 ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */ 54 55 /* Callbacks */ 56diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c 57--- a/nss/lib/ssl/sslsock.c 2013-07-31 12:40:53.784162112 -0700 58+++ b/nss/lib/ssl/sslsock.c 2013-07-31 12:41:57.515096255 -0700 59@@ -1933,6 +1933,20 @@ SSL_HandshakeResumedSession(PRFileDesc * 60 return SECSuccess; 61 } 62 63+const SECItem * 64+SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd) 65+{ 66+ sslSocket *ss = ssl_FindSocket(fd); 67+ 68+ if (!ss) { 69+ SSL_DBG(("%d: SSL[%d]: bad socket in " 70+ "SSL_GetRequestedClientCertificateTypes", SSL_GETPID(), fd)); 71+ return NULL; 72+ } 73+ 74+ return ss->requestedCertTypes; 75+} 76+ 77 /************************************************************************/ 78 /* The following functions are the TOP LEVEL SSL functions. 79 ** They all get called through the NSPRIOMethods table below. 80@@ -2995,6 +3009,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProto 81 sc->serverKeyBits = 0; 82 ss->certStatusArray[i] = NULL; 83 } 84+ ss->requestedCertTypes = NULL; 85 ss->stepDownKeyPair = NULL; 86 ss->dbHandle = CERT_GetDefaultCertDB(); 87 88