From ae278d47da3a5ebaf8833df4e11d3b35fdcabe86 Mon Sep 17 00:00:00 2001
From: Philipp Hancke <philipp.hancke@googlemail.com>
Date: Wed, 16 Jun 2021 10:26:56 +0200
Subject: [PATCH] openssl_adapter: document SSL_CTX_set_verify_depth behaviour

document the reason for the depth setting in the code.

BUG=None

Change-Id: Ia761833ff1cc6fb6cc2768d408e26fe87ded57ac
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/222605
Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Commit-Queue: Harald Alvestrand <hta@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#34336}
---
 rtc_base/openssl_adapter.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rtc_base/openssl_adapter.cc b/rtc_base/openssl_adapter.cc
index e5c2c42761..563fe0f9d9 100644
--- a/rtc_base/openssl_adapter.cc
+++ b/rtc_base/openssl_adapter.cc
@@ -981,6 +981,9 @@ SSL_CTX* OpenSSLAdapter::CreateContext(SSLMode mode, bool enable_cache) {
   SSL_CTX_set_custom_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
 #else
   SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
+  // Verify certificate chains up to a depth of 4. This is not
+  // needed for DTLS-SRTP which uses self-signed certificates
+  // (so the depth is 0) but is required to support TURN/TLS.
   SSL_CTX_set_verify_depth(ctx, 4);
 #endif
   // Use defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers