openssl_adapter: document SSL_CTX_set_verify_depth behaviour

document the reason for the depth setting in the code. BUG=None Change-Id: Ia761833ff1cc6fb6cc2768d408e26fe87ded57ac Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/222605 Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org> Reviewed-by: Harald Alvestrand <hta@webrtc.org> Commit-Queue: Harald Alvestrand <hta@webrtc.org> Cr-Commit-Position: refs/heads/master@{#34336}
2025-05-13 13:50:40 +01:00 · 2021-06-16 10:26:56 +02:00 · 2021-06-16 10:26:56 +02:00 · ae278d47da
commit ae278d47da
parent fbe995874f
1 changed files with 3 additions and 0 deletions
--- a/rtc_base/openssl_adapter.cc
+++ b/rtc_base/openssl_adapter.cc
@ -981,6 +981,9 @@ SSL_CTX* OpenSSLAdapter::CreateContext(SSLMode mode, bool enable_cache) {
  SSL_CTX_set_custom_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
 #else
  SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
+  // Verify certificate chains up to a depth of 4. This is not
+  // needed for DTLS-SRTP which uses self-signed certificates
+  // (so the depth is 0) but is required to support TURN/TLS.
  SSL_CTX_set_verify_depth(ctx, 4);
 #endif
  // Use defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers