New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 9 users

Issue metadata

Status: Assigned
Owner:
Last visit > 30 days ago
Cc:
Components:
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Chained certificates are not correctly handled for OPENSSL

Project Member Reported by jiayl@webrtc.org, May 21 2014

Issue description

When chained certificates are received, opensslstreamadapter.cc tries to verify the digest of the non-leaf certificate against the SDP fingerprint and fails the connection.

It should verify the leaf certificate digest; and it should validate the chain, to match the NSS impl.
 
Project Member

Comment 1 by bugdroid1@chromium.org, May 30 2014

The following revision refers to this bug:
  http://code.google.com/p/webrtc/source/detail?r=6294

------------------------------------------------------------------
r6294 | jiayl@webrtc.org | 2014-05-30T23:14:08.542290Z

Changed paths:
   M http://code.google.com/p/webrtc/source/diff?path=/trunk/talk/base/opensslstreamadapter.cc&spec=svn6294&r_previous=6293&r=6294&format=side

Make OpenSSLStreamAdapter verify the leaf certificate digest for chained certificates.

It used to compre a parent certificate's digest against the SDP fingerprint and caused connection failure.

BUG=3383
R=bemasc@webrtc.org, juberti@webrtc.org, rsleevi@chromium.org

Review URL: https://webrtc-codereview.appspot.com/17589005
-----------------------------------------------------------------
Project Member

Comment 2 by jiayl@webrtc.org, Jun 11 2014

Justin,

do we need a milestone for this? The remaining work is to make OPENSSL report each certificate in the chain to upper layers to report to JS, like what NSS does.

Comment 3 by juberti@google.com, Jun 13 2014

How much work do you think is involved here? Right now I see this is pretty low priority unless the work is small.
Project Member

Comment 4 by jiayl@webrtc.org, Jun 13 2014

Probably a few days work.
Project Member

Comment 5 by jiayl@webrtc.org, Jul 8 2014

Labels: Area-PeerConnection

Comment 6 by vrk@webrtc.org, Oct 16 2014

Labels: Mstone-41 EngTriaged
Maybe try to get in 41 if it's only a few days' work, otherwise feel free to move to IceBox.

Comment 7 by juberti@google.com, Oct 16 2014

With no stars, I would probably icebox this issue for now.
Project Member

Comment 8 by pthatcher@webrtc.org, Jan 7 2015

Labels: -Mstone-41 Mstone-42
Project Member

Comment 9 by pthatcher@webrtc.org, Feb 19 2015

Labels: -Mstone-42 Mstone-44
This looks like it's not hitting m42.  Update it if I'm wrong.
Project Member

Comment 10 by juberti@webrtc.org, Feb 1 2016

Labels: -Mstone-44
Owner: pthatcher@webrtc.org
Project Member

Comment 11 by pthatcher@webrtc.org, Nov 8 2016

Labels: Pri-3

Sign in to add a comment