Do not do Expect-Staple when OCSPVerifyResult has not been populated

net/socket/ssl_client_socket_impl.cc

Index: net/socket/ssl_client_socket_impl.cc
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
index 7832819d2aa7e6da3c2d54c66a4118e8d87bb7ed..2b92f31741bed96f6399e6dd9935d47f758b5472 100644
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -1319,13 +1319,14 @@ int SSLClientSocketImpl::DoVerifyCertComplete(int result) {
     DCHECK(!certificate_verified_);
     certificate_verified_ = true;
     MaybeCacheSession();
-    SSLInfo ssl_info;
-    bool ok = GetSSLInfo(&ssl_info);
-    DCHECK(ok);
-    transport_security_state_->CheckExpectStaple(host_and_port_, ssl_info,
-                                                 ocsp_response_);
   }
 
+  SSLInfo ssl_info;

[Ryan Sleevi, 2016/12/21 01:35:29]

Might by worth including a comment here in the code explaining the intentional
subtlety here (about sending reports on bad certificates)

[estark, 2016/12/21 17:53:12]

Ack, no longer applicable (reverted this change)

+  bool ok = GetSSLInfo(&ssl_info);
+  DCHECK(ok);
+  transport_security_state_->CheckExpectStaple(host_and_port_, ssl_info,
+                                               ocsp_response_);
+
   completed_connect_ = true;
   // Exit DoHandshakeLoop and return the result to the caller to Connect.
   DCHECK_EQ(STATE_NONE, next_handshake_state_);