Index: net/socket/ssl_client_socket_nss.cc |
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc |
index 83a4d62a746cf6ceefd327917f1af3ae106546fb..5479039618671e7c88c5225bd414661115f1325f 100644 |
--- a/net/socket/ssl_client_socket_nss.cc |
+++ b/net/socket/ssl_client_socket_nss.cc |
@@ -3502,6 +3502,13 @@ void SSLClientSocketNSS::VerifyCT() { |
<< " Verified scts: " << ct_verify_result_.verified_scts.size() |
<< " scts from unknown logs: " |
<< ct_verify_result_.unknown_logs_scts.size(); |
+ |
+ if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) && |
+ (!cert_transparency_verifier_->DoesConformToCTEVPolicy( |
+ server_cert_verify_result_.verified_cert, ct_verify_result_))) { |
+ VLOG(1) << "EV certificate without enough SCTs, removing EV status."; |
+ server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
+ } |
Ryan Sleevi
2014/08/05 22:19:10
Another sign of layering concern is that this logi
Eran Messeri
2014/10/20 17:26:30
I've created a new class, CertPolicyEnforcer, whic
|
} |
void SSLClientSocketNSS::LogConnectionTypeMetrics() const { |