Index: net/cert/cert_verify_proc_mac.cc |
diff --git a/net/cert/cert_verify_proc_mac.cc b/net/cert/cert_verify_proc_mac.cc |
index 987eed236e46f14d2f9066ebd9a0ecc87c6d2a57..c9ca384b96973260dc26e126225d0bebe40ec51c 100644 |
--- a/net/cert/cert_verify_proc_mac.cc |
+++ b/net/cert/cert_verify_proc_mac.cc |
@@ -988,10 +988,6 @@ int VerifyWithGivenFlags(X509Certificate* cert, |
break; |
} |
- // Perform hostname verification independent of SecTrustEvaluate. In order to |
- // do so, mask off any reported name errors first. |
- verify_result->cert_status &= ~CERT_STATUS_COMMON_NAME_INVALID; |
- |
// TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be |
// compatible with Windows, which in turn implements this behavior to be |
// compatible with WinHTTP, which doesn't report this error (bug 3004). |
@@ -1001,6 +997,10 @@ int VerifyWithGivenFlags(X509Certificate* cert, |
verify_result->is_issued_by_known_root = |
g_known_roots.Get().IsIssuedByKnownRoot(completed_chain); |
+ // Hostname validation is handled by CertVerifyProc, so mask off any errors |
+ // that SecTrustEvaluate may have set, as its results are not used. |
+ verify_result->cert_status &= ~CERT_STATUS_COMMON_NAME_INVALID; |
mattm
2017/03/01 23:56:47
Is moving this down significant? (Not a big deal I
Ryan Sleevi
2017/03/02 00:18:55
Eh, it was an artifact of the previous build in wh
|
+ |
if (IsCertStatusError(verify_result->cert_status)) |
return MapCertStatusToNetError(verify_result->cert_status); |