Index: rtc_base/opensslstreamadapter.cc |
diff --git a/rtc_base/opensslstreamadapter.cc b/rtc_base/opensslstreamadapter.cc |
index 6fad7f9d488a69ea40fab6926ac19a5cc79f423e..1a6aa8a0526d7522de9144f776ec5443572d0c38 100644 |
--- a/rtc_base/opensslstreamadapter.cc |
+++ b/rtc_base/opensslstreamadapter.cc |
@@ -38,6 +38,7 @@ |
namespace { |
bool g_use_time_callback_for_testing = false; |
+ const int kMaxSupportedCertChainDepth = 3; |
} |
namespace rtc { |
@@ -1112,18 +1113,16 @@ int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) { |
// For now we ignore the parent certificates and verify the leaf against |
// the digest. |
// |
- // TODO(jiayl): Verify the chain is a proper chain and report the chain to |
- // |stream->peer_certificate_|. |
- if (depth > 0) { |
- LOG(LS_INFO) << "Ignored chained certificate at depth " << depth; |
- return 1; |
- } |
OpenSSLStreamAdapter* stream = |
reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl)); |
- // Record the peer's certificate. |
- stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); |
+ STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store); |
+ if (sk_X509_num(chain) >= kMaxSupportedCertChainDepth) { |
+ LOG(LS_INFO) << "Ignore chained certificate at depth " << depth; |
+ return 1; |
+ } |
+ stream->peer_certificate_.reset(new OpenSSLCertificate(chain)); |
// If the peer certificate digest isn't known yet, we'll wait to verify |
// until it's known, and for now just return a success status. |