1diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c 2--- a/nss/lib/ssl/ssl3con.c 2014-01-17 17:52:46.705854118 -0800 3+++ b/nss/lib/ssl/ssl3con.c 2014-01-17 17:54:27.087523439 -0800 4@@ -6985,6 +6985,9 @@ ssl3_HandleCertificateRequest(sslSocket 5 if (rv != SECSuccess) 6 goto loser; /* malformed, alert has been sent */ 7 8+ PORT_Assert(!ss->requestedCertTypes); 9+ ss->requestedCertTypes = &cert_types; 10+ 11 if (isTLS12) { 12 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length); 13 if (rv != SECSuccess) 14@@ -7186,6 +7189,7 @@ loser: 15 PORT_SetError(errCode); 16 rv = SECFailure; 17 done: 18+ ss->requestedCertTypes = NULL; 19 if (arena != NULL) 20 PORT_FreeArena(arena, PR_FALSE); 21 #ifdef NSS_PLATFORM_CLIENT_AUTH 22diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h 23--- a/nss/lib/ssl/ssl.h 2014-01-17 17:53:39.726735852 -0800 24+++ b/nss/lib/ssl/ssl.h 2014-01-17 17:54:27.087523439 -0800 25@@ -793,6 +793,16 @@ SSL_IMPORT SECStatus SSL_ReHandshakeWith 26 PRBool flushCache, 27 PRIntervalTime timeout); 28 29+/* Returns a SECItem containing the certificate_types field of the 30+** CertificateRequest message. Each byte of the data is a TLS 31+** ClientCertificateType value, and they are ordered from most preferred to 32+** least. This function should only be called from the 33+** SSL_GetClientAuthDataHook callback, and will return NULL if called at any 34+** other time. The returned value is valid only until the callback returns, and 35+** should not be freed. 36+*/ 37+SSL_IMPORT const SECItem * 38+SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd); 39 40 #ifdef SSL_DEPRECATED_FUNCTION 41 /* deprecated! 42diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h 43--- a/nss/lib/ssl/sslimpl.h 2014-01-17 17:52:46.715854283 -0800 44+++ b/nss/lib/ssl/sslimpl.h 2014-01-17 17:54:27.087523439 -0800 45@@ -1229,6 +1229,10 @@ struct sslSocketStr { 46 unsigned int sizeCipherSpecs; 47 const unsigned char * preferredCipher; 48 49+ /* TLS ClientCertificateTypes requested during HandleCertificateRequest. */ 50+ /* Will be NULL at all other times. */ 51+ const SECItem *requestedCertTypes; 52+ 53 ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */ 54 55 /* Callbacks */ 56diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c 57--- a/nss/lib/ssl/sslsock.c 2014-01-17 17:53:39.726735852 -0800 58+++ b/nss/lib/ssl/sslsock.c 2014-01-17 17:54:27.097523605 -0800 59@@ -1869,6 +1869,20 @@ SSL_HandshakeResumedSession(PRFileDesc * 60 return SECSuccess; 61 } 62 63+const SECItem * 64+SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd) 65+{ 66+ sslSocket *ss = ssl_FindSocket(fd); 67+ 68+ if (!ss) { 69+ SSL_DBG(("%d: SSL[%d]: bad socket in " 70+ "SSL_GetRequestedClientCertificateTypes", SSL_GETPID(), fd)); 71+ return NULL; 72+ } 73+ 74+ return ss->requestedCertTypes; 75+} 76+ 77 /************************************************************************/ 78 /* The following functions are the TOP LEVEL SSL functions. 79 ** They all get called through the NSPRIOMethods table below. 80@@ -2936,6 +2950,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProto 81 sc->serverKeyBits = 0; 82 ss->certStatusArray[i] = NULL; 83 } 84+ ss->requestedCertTypes = NULL; 85 ss->stepDownKeyPair = NULL; 86 ss->dbHandle = CERT_GetDefaultCertDB(); 87 88