Treat failure to parse certificates as SSL protocol errors.

net/socket/ssl_client_socket_openssl.cc

Index: net/socket/ssl_client_socket_openssl.cc
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index a2fd5b14d2d18b697a57f099a889bfbd449e993e..20c6233f3685f594c09c58d8924db47388a783ff 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -1180,6 +1180,12 @@ int SSLClientSocketOpenSSL::DoVerifyCert(int result) {
 
   GotoState(STATE_VERIFY_CERT_COMPLETE);
 
+  // OpenSSL decoded the certificate, but the platform certificate
+  // implementation could not. This is treated as a fatal SSL-level protocol
+  // error rather than a certificate error. See https://crbug.com/91341.
+  if (!server_cert_.get())
+    return ERR_SSL_SERVER_CERT_BAD_FORMAT;
+
   // If the certificate is bad and has been previously accepted, use
   // the previous status and bypass the error.
   base::StringPiece der_cert;
@@ -1196,15 +1202,6 @@ int SSLClientSocketOpenSSL::DoVerifyCert(int result) {
     return OK;
   }
 
-  // When running in a sandbox, it may not be possible to create an
-  // X509Certificate*, as that may depend on OS functionality blocked
-  // in the sandbox.
-  if (!server_cert_.get()) {
-    server_cert_verify_result_.Reset();
-    server_cert_verify_result_.cert_status = CERT_STATUS_INVALID;
-    return ERR_CERT_INVALID;
-  }
-
   std::string ocsp_response;
   if (cert_verifier_->SupportsOCSPStapling()) {
     const uint8_t* ocsp_response_raw;