From 4d10dce61d7a25b20612df102ae9a5822de569b0 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sun, 9 Apr 2017 14:38:18 +0900
Subject: [PATCH] nghttpx: Only send SCT for leaf certificate

---
 src/shrpx_tls.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/shrpx_tls.cc b/src/shrpx_tls.cc
index bbad97a8..677b12cd 100644
--- a/src/shrpx_tls.cc
+++ b/src/shrpx_tls.cc
@@ -554,6 +554,11 @@ int sct_add_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
               << ", context=" << std::hex << context;
   }
 
+  // We only have SCTs for leaf certificate.
+  if (chainidx != 0) {
+    return 0;
+  }
+
   auto ssl_ctx = SSL_get_SSL_CTX(ssl);
   auto tls_ctx_data =
       static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));