Index: net/socket/ssl_client_socket_openssl.cc |
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc |
index a2fd5b14d2d18b697a57f099a889bfbd449e993e..20c6233f3685f594c09c58d8924db47388a783ff 100644 |
--- a/net/socket/ssl_client_socket_openssl.cc |
+++ b/net/socket/ssl_client_socket_openssl.cc |
@@ -1180,6 +1180,12 @@ int SSLClientSocketOpenSSL::DoVerifyCert(int result) { |
GotoState(STATE_VERIFY_CERT_COMPLETE); |
+ // OpenSSL decoded the certificate, but the platform certificate |
+ // implementation could not. This is treated as a fatal SSL-level protocol |
+ // error rather than a certificate error. See https://crbug.com/91341. |
+ if (!server_cert_.get()) |
+ return ERR_SSL_SERVER_CERT_BAD_FORMAT; |
+ |
// If the certificate is bad and has been previously accepted, use |
// the previous status and bypass the error. |
base::StringPiece der_cert; |
@@ -1196,15 +1202,6 @@ int SSLClientSocketOpenSSL::DoVerifyCert(int result) { |
return OK; |
} |
- // When running in a sandbox, it may not be possible to create an |
- // X509Certificate*, as that may depend on OS functionality blocked |
- // in the sandbox. |
- if (!server_cert_.get()) { |
- server_cert_verify_result_.Reset(); |
- server_cert_verify_result_.cert_status = CERT_STATUS_INVALID; |
- return ERR_CERT_INVALID; |
- } |
- |
std::string ocsp_response; |
if (cert_verifier_->SupportsOCSPStapling()) { |
const uint8_t* ocsp_response_raw; |