Use the BoringSSL callback for certificate verification.

This moves certificate verification to within the handshake, instead of
a separate step afterwards, which allows us to verify the certificate
before prompting for client certificates.

It also means that certificate errors result in incomplete handshakes,
so this also changes SSLClientSocket unit tests not to expect connected
sockets after certificate errors.

Bug: 347402
Change-Id: I0a93da1dee5be697fa7d5c74aae206d370f97d5b
Commit-Queue: Jesse Selover <>
Reviewed-by: Joe Downing <>
Reviewed-by: Ryan Sleevi <>
Reviewed-by: David Benjamin <>
Cr-Commit-Position: refs/heads/master@{#622963}
7 files changed