Bug 1316261 - Configure trust anchors list to be empty for WebRTC, r?drno, a=gchang
MozReview-Commit-ID: CEdShfGj7tE
--- a/config/external/nss/nss.symbols
+++ b/config/external/nss/nss.symbols
@@ -682,16 +682,17 @@ SSL_PeerStapledOCSPResponses
SSL_ResetHandshake
SSL_SetCanFalseStartCallback
SSL_SetDowngradeCheckVersion
SSL_SetNextProtoNego
SSL_SetPKCS11PinArg
SSL_SetSockPeerID
SSL_SetSRTPCiphers
SSL_SetStapledOCSPResponses
+SSL_SetTrustAnchors
SSL_SetURL
SSL_ShutdownServerSessionIDCache
SSL_SNISocketConfigHook
SSL_VersionRangeGet
SSL_VersionRangeGetDefault
SSL_VersionRangeGetSupported
SSL_VersionRangeSet
SSL_VersionRangeSetDefault
--- a/media/mtransport/transportlayerdtls.cpp
+++ b/media/mtransport/transportlayerdtls.cpp
@@ -509,16 +509,23 @@ bool TransportLayerDtls::Setup() {
rv = SSL_ConfigSecureServer(ssl_fd, identity_->cert(),
identity_->privkey(),
identity_->auth_type());
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't set identity");
return false;
}
+ UniqueCERTCertList zero_certs(CERT_NewCertList());
+ rv = SSL_SetTrustAnchors(ssl_fd.get(), zero_certs.get());
+ if (rv != SECSuccess) {
+ MOZ_MTLOG(ML_ERROR, "Couldn't set trust anchors");
+ return false;
+ }
+
// Insist on a certificate from the client
rv = SSL_OptionSet(ssl_fd, SSL_REQUEST_CERTIFICATE, PR_TRUE);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't request certificate");
return false;
}
rv = SSL_OptionSet(ssl_fd, SSL_REQUIRE_CERTIFICATE, PR_TRUE);