Index: net/spdy/spdy_session.cc |
diff --git a/net/spdy/spdy_session.cc b/net/spdy/spdy_session.cc |
index d316ea2cc457686d57c240b99bb31c2fcfb8ab60..8aaf5954279e98838d3c66116237e6fc4f3b0677 100644 |
--- a/net/spdy/spdy_session.cc |
+++ b/net/spdy/spdy_session.cc |
@@ -654,6 +654,10 @@ bool SpdySession::CanPool(TransportSecurityState* transport_security_state, |
if (!ssl_info.cert->VerifyNameMatch(new_hostname, &unused)) |
return false; |
+ // Pinning is bypassed for local roots. |
+ if (!ssl_info.is_issued_by_known_root) |
+ return true; |
Ryan Sleevi
2016/06/09 19:17:32
FWIW, and for better or worse, it was intentional
davidben
2016/06/09 19:19:15
I believe this aligns with the old behavior, but I
dadrian
2016/06/09 21:58:57
Done.
|
+ |
std::string pinning_failure_log; |
// DISABLE_PIN_REPORTS is set here because this check can fail in |
// normal operation without being indicative of a misconfiguration or |