Index: net/socket/ssl_client_socket_nss.cc |
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc |
index 0d3c53d891e98c06de0fcaa0aeac4d286e2b89ab..92af627b7f871e3edc19ae201c9da6919fc0a5ee 100644 |
--- a/net/socket/ssl_client_socket_nss.cc |
+++ b/net/socket/ssl_client_socket_nss.cc |
@@ -3427,53 +3427,20 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) { |
if (result == OK) |
LogConnectionTypeMetrics(); |
-#if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS) |
- // Take care of any mandates for public key pinning. |
- // |
- // Pinning is only enabled for official builds to make sure that others don't |
- // end up with pins that cannot be easily updated. |
- // |
- // TODO(agl): We might have an issue here where a request for foo.example.com |
- // merges into a SPDY connection to www.example.com, and gets a different |
- // certificate. |
- |
- // Perform pin validation if, and only if, all these conditions obtain: |
- // |
- // * a TransportSecurityState object is available; |
- // * the server's certificate chain is valid (or suffers from only a minor |
- // error); |
- // * the server's certificate chain chains up to a known root (i.e. not a |
- // user-installed trust anchor); and |
- // * the build is recent (very old builds should fail open so that users |
- // have some chance to recover). |
- // |
+ bool sni_available = ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 || |
+ ssl_config_.version_fallback; |
const CertStatus cert_status = server_cert_verify_result_.cert_status; |
if (transport_security_state_ && |
(result == OK || |
(IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
- server_cert_verify_result_.is_issued_by_known_root && |
- TransportSecurityState::IsBuildTimely()) { |
- bool sni_available = |
- ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 || |
- ssl_config_.version_fallback; |
- const std::string& host = host_and_port_.host(); |
- |
- if (transport_security_state_->HasPublicKeyPins(host, sni_available)) { |
- if (!transport_security_state_->CheckPublicKeyPins( |
- host, |
- sni_available, |
- server_cert_verify_result_.public_key_hashes, |
- &pinning_failure_log_)) { |
- LOG(ERROR) << pinning_failure_log_; |
- result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
- UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false); |
- TransportSecurityState::ReportUMAOnPinFailure(host); |
- } else { |
- UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true); |
- } |
- } |
+ !transport_security_state_->CheckPublicKeyPins( |
+ host_and_port_.host(), |
+ sni_available, |
+ server_cert_verify_result_.is_issued_by_known_root, |
+ server_cert_verify_result_.public_key_hashes, |
+ &pinning_failure_log_)) { |
+ result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
} |
-#endif |
if (result == OK) { |
// Only check Certificate Transparency if there were no other errors with |