Project: webrtc Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 6 users
Status: Assigned
Owner:
Last visit > 30 days ago
Cc:
Components:
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment
Chained certificates are not correctly handled for OPENSSL
Project Member Reported by jiayl@webrtc.org, May 21 2014 Back to list
When chained certificates are received, opensslstreamadapter.cc tries to verify the digest of the non-leaf certificate against the SDP fingerprint and fails the connection.

It should verify the leaf certificate digest; and it should validate the chain, to match the NSS impl.
 
Project Member Comment 1 by bugdroid1@chromium.org, May 30 2014
The following revision refers to this bug:
  http://code.google.com/p/webrtc/source/detail?r=6294

------------------------------------------------------------------
r6294 | jiayl@webrtc.org | 2014-05-30T23:14:08.542290Z

Changed paths:
   M http://code.google.com/p/webrtc/source/diff?path=/trunk/talk/base/opensslstreamadapter.cc&spec=svn6294&r_previous=6293&r=6294&format=side

Make OpenSSLStreamAdapter verify the leaf certificate digest for chained certificates.

It used to compre a parent certificate's digest against the SDP fingerprint and caused connection failure.

BUG=3383
R=bemasc@webrtc.org, juberti@webrtc.org, rsleevi@chromium.org

Review URL: https://webrtc-codereview.appspot.com/17589005
-----------------------------------------------------------------
Project Member Comment 2 by jiayl@webrtc.org, Jun 11 2014
Justin,

do we need a milestone for this? The remaining work is to make OPENSSL report each certificate in the chain to upper layers to report to JS, like what NSS does.
Comment 3 by juberti@google.com, Jun 13 2014
How much work do you think is involved here? Right now I see this is pretty low priority unless the work is small.
Project Member Comment 4 by jiayl@webrtc.org, Jun 13 2014
Probably a few days work.
Project Member Comment 5 by jiayl@webrtc.org, Jul 8 2014
Labels: Area-PeerConnection
Comment 6 by vrk@webrtc.org, Oct 16 2014
Labels: Mstone-41 EngTriaged
Maybe try to get in 41 if it's only a few days' work, otherwise feel free to move to IceBox.
Comment 7 by juberti@google.com, Oct 16 2014
With no stars, I would probably icebox this issue for now.
Project Member Comment 8 by pthatcher@webrtc.org, Jan 7 2015
Labels: -Mstone-41 Mstone-42
Project Member Comment 9 by pthatcher@webrtc.org, Feb 19 2015
Labels: -Mstone-42 Mstone-44
This looks like it's not hitting m42.  Update it if I'm wrong.
Project Member Comment 10 by juberti@webrtc.org, Feb 1 2016
Labels: -Mstone-44
Owner: pthatcher@webrtc.org
Project Member Comment 11 by pthatcher@webrtc.org, Nov 8 2016
Labels: Pri-3
Sign in to add a comment