From df143521a3173cf5881fe2ce282deaa225f2fb1b Mon Sep 17 00:00:00 2001
From: Ray Su <ray.su@shoplineapp.com>
Date: Mon, 17 Jun 2024 14:18:00 +0800
Subject: [PATCH] fix(Mongo::Socket::SSL#verify_ocsp_endpoint!): use leaf cert
 instead of last one

---
 lib/mongo/socket/ssl.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/mongo/socket/ssl.rb b/lib/mongo/socket/ssl.rb
index 10bb7b4d6c..e1e36a3c41 100644
--- a/lib/mongo/socket/ssl.rb
+++ b/lib/mongo/socket/ssl.rb
@@ -368,7 +368,9 @@ def verify_ocsp_endpoint!(socket)
         end
 
         cert = socket.peer_cert
-        ca_cert = socket.peer_cert_chain.last
+        # In the case where the leaf certificate and CA are the same, the chain may only contain one certificate.
+        # If the chain has multiple certificates, the one directly after the leaf should be the issuer.
+        ca_cert = socket.peer_cert_chain.length > 1 ? socket.peer_cert_chain[1] : cert
 
         verifier = OcspVerifier.new(@host_name, cert, ca_cert, context.cert_store,
           **Utils.shallow_symbolize_keys(options))