SSL backend: loat root certificates on demand on Unix (excluding Mac)

Previously, on initializing the first QSslSocket, we read all root
certificates into memory (~ 150 files).
Now, we tell OpenSSL where to find the root certificates, so that they
can be loaded on demand (if supported, see 'man c_rehash' for details).

Reviewed-by: Markus Goetz
Task-number: QTBUG-14016

12 files changed, 611 insertions, 15 deletions

diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 4252123..61f27fe 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -143,6 +143,15 @@
     setDefaultCaCertificates().
     \endlist
 
+    \note If available, root certificates on Unix (excluding Mac OS X) will be
+    loaded on demand from the standard certificate directories. If
+    you do not want to load root certificates on demand, you need to call either
+    the static function setDefaultCaCertificates() before the first SSL handshake
+    is made in your application, (e.g. via
+    "QSslSocket::setDefaultCaCertificates(QSslSocket::systemCaCertificates());"),
+    or call setCaCertificates() on your QSslSocket instance prior to the SSL
+    handshake.
+
     For more information about ciphers and certificates, refer to QSslCipher and
     QSslCertificate.
 
@@ -1249,6 +1258,7 @@ void QSslSocket::setCaCertificates(const QList<QSslCertificate> &certificates)
 {
     Q_D(QSslSocket);
     d->configuration.caCertificates = certificates;
+    d->allowRootCertOnDemandLoading = false;
 }
 
 /*!
@@ -1258,6 +1268,9 @@ void QSslSocket::setCaCertificates(const QList<QSslCertificate> &certificates)
   handshake with addCaCertificate(), addCaCertificates(), and
   setCaCertificates().
 
+  \note On Unix, this method may return an empty list if the root
+  certificates are loaded on demand.
+
   \sa addCaCertificate(), addCaCertificates(), setCaCertificates()
 */
 QList<QSslCertificate> QSslSocket::caCertificates() const
@@ -1311,10 +1324,9 @@ void QSslSocket::addDefaultCaCertificates(const QList<QSslCertificate> &certific
 /*!
     Sets the default CA certificate database to \a certificates. The
     default CA certificate database is originally set to your system's
-    default CA certificate database. If no system default database is
-    found, Qt will provide its own default database. You can override
-    the default CA certificate database with your own CA certificate
-    database using this function.
+    default CA certificate database. You can override the default CA
+    certificate database with your own CA certificate database using
+    this function.
 
     Each SSL socket's CA certificate database is initialized to the
     default CA certificate database.
@@ -1336,6 +1348,9 @@ void QSslSocket::setDefaultCaCertificates(const QList<QSslCertificate> &certific
     Each SSL socket's CA certificate database is initialized to the
     default CA certificate database.
 
+    \note On Unix, this method may return an empty list if the root
+    certificates are loaded on demand.
+
     \sa caCertificates()
 */
 QList<QSslCertificate> QSslSocket::defaultCaCertificates()
@@ -1803,6 +1818,7 @@ QSslSocketPrivate::QSslSocketPrivate()
     , connectionEncrypted(false)
     , ignoreAllSslErrors(false)
     , readyReadEmittedPointer(0)
+    , allowRootCertOnDemandLoading(true)
     , plainSocket(0)
 {
     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
@@ -1879,6 +1895,7 @@ void QSslSocketPrivate::setDefaultSupportedCiphers(const QList<QSslCipher> &ciph
 */
 QList<QSslCertificate> QSslSocketPrivate::defaultCaCertificates()
 {
+    // ### Qt5: rename everything containing "caCertificates" to "rootCertificates" or similar
     QSslSocketPrivate::ensureInitialized();
     QMutexLocker locker(&globalData()->mutex);
     return globalData()->config->caCertificates;
@@ -1893,6 +1910,9 @@ void QSslSocketPrivate::setDefaultCaCertificates(const QList<QSslCertificate> &c
     QMutexLocker locker(&globalData()->mutex);
     globalData()->config.detach();
     globalData()->config->caCertificates = certs;
+    // when the certificates are set explicitly, we do not want to
+    // load the system certificates on demand
+    s_loadRootCertsOnDemand = false;
 }
 
 /*!
@@ -2192,6 +2212,20 @@ void QSslSocketPrivate::_q_flushReadBuffer()
         transmit();
 }
 
+/*!
+    \internal
+*/
+QList<QByteArray> QSslSocketPrivate::unixRootCertDirectories()
+{
+    return QList<QByteArray>() <<  "/etc/ssl/certs/" // (K)ubuntu, OpenSUSE, Mandriva, MeeGo ...
+                               << "/usr/lib/ssl/certs/" // Gentoo, Mandrake
+                               << "/usr/share/ssl/" // Centos, Redhat, SuSE
+                               << "/usr/local/ssl/" // Normal OpenSSL Tarball
+                               << "/var/ssl/certs/" // AIX
+                               << "/usr/local/ssl/certs/" // Solaris
+                               << "/opt/openssl/certs/"; // HP-UX
+}
+
 QT_END_NAMESPACE
 
 // For private slots
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 7d21bd3..8839327 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -80,6 +80,7 @@ QT_BEGIN_NAMESPACE
 
 bool QSslSocketPrivate::s_libraryLoaded = false;
 bool QSslSocketPrivate::s_loadedCiphersAndCerts = false;
+bool QSslSocketPrivate::s_loadRootCertsOnDemand = false;
 
 /* \internal
 
@@ -317,6 +318,13 @@ init_context:
         q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle());
     }
 
+    if (s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) {
+        // tell OpenSSL the directories where to look up the root certs on demand
+        QList<QByteArray> unixDirs = unixRootCertDirectories();
+        for (int a = 0; a < unixDirs.count(); ++a)
+            q_SSL_CTX_load_verify_locations(ctx, 0, unixDirs.at(a).constData());
+    }
+
     // Register a custom callback to get all verification errors.
     X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback);
 
@@ -517,8 +525,22 @@ void QSslSocketPrivate::ensureCiphersAndCertsLoaded()
     } else {
         qWarning("could not load crypt32 library"); // should never happen
     }
+#elif defined(Q_OS_UNIX) && !defined(Q_OS_SYMBIAN) && !defined(Q_OS_MAC)
+    // check whether we can enable on-demand root-cert loading (i.e. check whether the sym links are there)
+    QList<QByteArray> dirs = unixRootCertDirectories();
+    QStringList symLinkFilter;
+    symLinkFilter << QLatin1String("[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]");
+    for (int a = 0; a < dirs.count(); ++a) {
+        QDirIterator iterator(QLatin1String(dirs.at(a)), symLinkFilter, QDir::Files);
+        if (iterator.hasNext()) {
+            s_loadRootCertsOnDemand = true;
+            break;
+        }
+    }
 #endif
-    setDefaultCaCertificates(systemCaCertificates());
+    // if on-demand loading was not enabled, load the certs now
+    if (!s_loadRootCertsOnDemand)
+        setDefaultCaCertificates(systemCaCertificates());
 }
 
 /*!
@@ -813,15 +835,7 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates()
     }
 #elif defined(Q_OS_UNIX) && !defined(Q_OS_SYMBIAN)
     QSet<QString> certFiles;
-    QList<QByteArray> directories;
-    directories << "/etc/ssl/certs/"; // (K)ubuntu, OpenSUSE, Mandriva, MeeGo ...
-    directories << "/usr/lib/ssl/certs/"; // Gentoo, Mandrake
-    directories << "/usr/share/ssl/"; // Centos, Redhat, SuSE
-    directories << "/usr/local/ssl/"; // Normal OpenSSL Tarball
-    directories << "/var/ssl/certs/"; // AIX
-    directories << "/usr/local/ssl/certs/"; // Solaris
-    directories << "/opt/openssl/certs/"; // HP-UX
-
+    QList<QByteArray> directories = unixRootCertDirectories();
     QDir currentDir;
     QStringList nameFilters;
     nameFilters << QLatin1String("*.pem") << QLatin1String("*.crt");
diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp
index 38598b6..b9a05f3 100644
--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
+++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
@@ -262,6 +262,7 @@ DEFINEFUNC3(DSA *, d2i_DSAPrivateKey, DSA **a, a, unsigned char **b, b, long c,
 #endif
 DEFINEFUNC(void, OPENSSL_add_all_algorithms_noconf, void, DUMMYARG, return, DUMMYARG)
 DEFINEFUNC(void, OPENSSL_add_all_algorithms_conf, void, DUMMYARG, return, DUMMYARG)
+DEFINEFUNC3(int, SSL_CTX_load_verify_locations, SSL_CTX *ctx, ctx, const char *CAfile, CAfile, const char *CApath, CApath, return 0, return)
 
 #ifdef Q_OS_SYMBIAN
 #define RESOLVEFUNC(func, ordinal, lib) \
@@ -630,6 +631,7 @@ bool q_resolveOpenSslSymbols()
 #endif
     RESOLVEFUNC(OPENSSL_add_all_algorithms_noconf, 1153, libs.second )
     RESOLVEFUNC(OPENSSL_add_all_algorithms_conf, 1152, libs.second )
+    RESOLVEFUNC(SSL_CTX_load_verify_locations, 34, libs.second )
 #else // Q_OS_SYMBIAN
 #ifdef SSLEAY_MACROS
     RESOLVEFUNC(ASN1_dup)
@@ -754,6 +756,7 @@ bool q_resolveOpenSslSymbols()
 #endif
     RESOLVEFUNC(OPENSSL_add_all_algorithms_noconf)
     RESOLVEFUNC(OPENSSL_add_all_algorithms_conf)
+    RESOLVEFUNC(SSL_CTX_load_verify_locations)
 #endif // Q_OS_SYMBIAN
     symbolsResolved = true;
     delete libs.first;
diff --git a/src/network/ssl/qsslsocket_openssl_symbols_p.h b/src/network/ssl/qsslsocket_openssl_symbols_p.h
index 954ffba..c05dfe11 100644
--- a/src/network/ssl/qsslsocket_openssl_symbols_p.h
+++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h
@@ -412,6 +412,7 @@ DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length);
 #endif
 void q_OPENSSL_add_all_algorithms_noconf();
 void q_OPENSSL_add_all_algorithms_conf();
+int q_SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath);
 
 // Helper function
 class QDateTime;
diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h
index 3a14488..7b92f95 100644
--- a/src/network/ssl/qsslsocket_p.h
+++ b/src/network/ssl/qsslsocket_p.h
@@ -112,6 +112,8 @@ public:
     // that was used for connecting to.
     QString verificationPeerName;
 
+    bool allowRootCertOnDemandLoading;
+
     static bool supportsSsl();
     static void ensureInitialized();
     static void deinitialize();
@@ -168,6 +170,9 @@ private:
 
     static bool s_libraryLoaded;
     static bool s_loadedCiphersAndCerts;
+protected:
+    static bool s_loadRootCertsOnDemand;
+    static QList<QByteArray> unixRootCertDirectories();
 };
 
 QT_END_NAMESPACE
diff --git a/tests/auto/network.pro b/tests/auto/network.pro
index 7d83054..b427f1c 100644
--- a/tests/auto/network.pro
+++ b/tests/auto/network.pro
@@ -35,6 +35,8 @@ SUBDIRS=\
     qsslerror \
     qsslkey \
     qsslsocket \
+    qsslsocket_onDemandCertificates_member \
+    qsslsocket_onDemandCertificates_static \
 #    qnetworkproxyfactory \ # Uses a hardcoded proxy configuration
 
 !contains(QT_CONFIG, private_tests): SUBDIRS -= \
diff --git a/tests/auto/qsslsocket/tst_qsslsocket.cpp b/tests/auto/qsslsocket/tst_qsslsocket.cpp
index fad2e5f..739f902 100644
--- a/tests/auto/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/auto/qsslsocket/tst_qsslsocket.cpp
@@ -390,6 +390,9 @@ void tst_QSslSocket::constructing()
     QSslConfiguration savedDefault = QSslConfiguration::defaultConfiguration();
 
     // verify that changing the default config doesn't affect this socket
+    // (on Unix, the ca certs might be empty, depending on whether we load
+    // them on demand or not, so set them explicitly)
+    socket.setCaCertificates(QSslSocket::systemCaCertificates());
     QSslSocket::setDefaultCaCertificates(QList<QSslCertificate>());
     QSslSocket::setDefaultCiphers(QList<QSslCipher>());
     QVERIFY(!socket.caCertificates().isEmpty());
diff --git a/tests/auto/qsslsocket_onDemandCertificates_member/qsslsocket_onDemandCertificates_member.pro b/tests/auto/qsslsocket_onDemandCertificates_member/qsslsocket_onDemandCertificates_member.pro
new file mode 100644
index 0000000..ea62865
--- /dev/null
+++ b/tests/auto/qsslsocket_onDemandCertificates_member/qsslsocket_onDemandCertificates_member.pro
@@ -0,0 +1,36 @@
+load(qttest_p4)
+
+SOURCES += tst_qsslsocket_onDemandCertificates_member.cpp
+!wince*:win32:LIBS += -lws2_32
+QT += network
+QT -= gui
+
+TARGET = tst_qsslsocket_onDemandCertificates_member
+
+win32 {
+  CONFIG(debug, debug|release) {
+    DESTDIR = debug
+} else {
+    DESTDIR = release
+  }
+}
+
+wince* {
+    DEFINES += SRCDIR=\\\"./\\\"
+
+    certFiles.files = certs ssl.tar.gz
+    certFiles.path    = .
+    DEPLOYMENT += certFiles
+} else:symbian {
+    TARGET.EPOCHEAPSIZE="0x100 0x1000000"
+    TARGET.CAPABILITY=NetworkServices
+
+    certFiles.files = certs ssl.tar.gz
+    certFiles.path    = .
+    DEPLOYMENT += certFiles
+    INCLUDEPATH *= $$MW_LAYER_SYSTEMINCLUDE  # Needed for e32svr.h in S^3 envs
+} else {
+    DEFINES += SRCDIR=\\\"$$PWD/\\\"
+}
+
+requires(contains(QT_CONFIG,private_tests))
diff --git a/tests/auto/qsslsocket_onDemandCertificates_member/tst_qsslsocket_onDemandCertificates_member.cpp b/tests/auto/qsslsocket_onDemandCertificates_member/tst_qsslsocket_onDemandCertificates_member.cpp
new file mode 100644
index 0000000..2a1358d
--- /dev/null
+++ b/tests/auto/qsslsocket_onDemandCertificates_member/tst_qsslsocket_onDemandCertificates_member.cpp
@@ -0,0 +1,225 @@
+/****************************************************************************
+**
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
+** All rights reserved.
+** Contact: Nokia Corporation (qt-info@nokia.com)
+**
+** This file is part of the test suite of the Qt Toolkit.
+**
+** $QT_BEGIN_LICENSE:LGPL$
+** No Commercial Usage
+** This file contains pre-release code and may not be distributed.
+** You may use this file in accordance with the terms and conditions
+** contained in the Technology Preview License Agreement accompanying
+** this package.
+**
+** GNU Lesser General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU Lesser
+** General Public License version 2.1 as published by the Free Software
+** Foundation and appearing in the file LICENSE.LGPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU Lesser General Public License version 2.1 requirements
+** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
+**
+** In addition, as a special exception, Nokia gives you certain additional
+** rights.  These rights are described in the Nokia Qt LGPL Exception
+** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
+**
+** If you have questions regarding the use of this file, please contact
+** Nokia at qt-info@nokia.com.
+**
+**
+**
+**
+**
+**
+**
+**
+** $QT_END_LICENSE$
+**
+****************************************************************************/
+
+
+#include <QtNetwork>
+#include <QtTest/QtTest>
+
+#include <QNetworkProxy>
+#include <QAuthenticator>
+
+#include "private/qhostinfo_p.h"
+
+#include "../network-settings.h"
+
+#ifdef Q_OS_SYMBIAN
+#define SRCDIR ""
+#endif
+
+#ifndef QT_NO_OPENSSL
+class QSslSocketPtr: public QSharedPointer<QSslSocket>
+{
+public:
+    inline QSslSocketPtr(QSslSocket *ptr = 0)
+        : QSharedPointer<QSslSocket>(ptr)
+    { }
+
+    inline operator QSslSocket *() const { return data(); }
+};
+#endif
+
+class tst_QSslSocket_onDemandCertificates_member : public QObject
+{
+    Q_OBJECT
+
+    int proxyAuthCalled;
+
+public:
+    tst_QSslSocket_onDemandCertificates_member();
+    virtual ~tst_QSslSocket_onDemandCertificates_member();
+
+#ifndef QT_NO_OPENSSL
+    QSslSocketPtr newSocket();
+#endif
+
+public slots:
+    void initTestCase_data();
+    void init();
+    void cleanup();
+    void proxyAuthenticationRequired(const QNetworkProxy &, QAuthenticator *auth);
+
+#ifndef QT_NO_OPENSSL
+private slots:
+    void onDemandRootCertLoadingMemberMethods();
+
+private:
+    QSslSocket *socket;
+#endif // QT_NO_OPENSSL
+};
+
+tst_QSslSocket_onDemandCertificates_member::tst_QSslSocket_onDemandCertificates_member()
+{
+    Q_SET_DEFAULT_IAP
+}
+
+tst_QSslSocket_onDemandCertificates_member::~tst_QSslSocket_onDemandCertificates_member()
+{
+}
+
+enum ProxyTests {
+    NoProxy = 0x00,
+    Socks5Proxy = 0x01,
+    HttpProxy = 0x02,
+    TypeMask = 0x0f,
+
+    NoAuth = 0x00,
+    AuthBasic = 0x10,
+    AuthNtlm = 0x20,
+    AuthMask = 0xf0
+};
+
+void tst_QSslSocket_onDemandCertificates_member::initTestCase_data()
+{
+    QTest::addColumn<bool>("setProxy");
+    QTest::addColumn<int>("proxyType");
+
+    QTest::newRow("WithoutProxy") << false << 0;
+    QTest::newRow("WithSocks5Proxy") << true << int(Socks5Proxy);
+    QTest::newRow("WithSocks5ProxyAuth") << true << int(Socks5Proxy | AuthBasic);
+
+    QTest::newRow("WithHttpProxy") << true << int(HttpProxy);
+    QTest::newRow("WithHttpProxyBasicAuth") << true << int(HttpProxy | AuthBasic);
+    // uncomment the line below when NTLM works
+//    QTest::newRow("WithHttpProxyNtlmAuth") << true << int(HttpProxy | AuthNtlm);
+}
+
+void tst_QSslSocket_onDemandCertificates_member::init()
+{
+    QFETCH_GLOBAL(bool, setProxy);
+    if (setProxy) {
+        QFETCH_GLOBAL(int, proxyType);
+        QString testServer = QHostInfo::fromName(QtNetworkSettings::serverName()).addresses().first().toString();
+        QNetworkProxy proxy;
+
+        switch (proxyType) {
+        case Socks5Proxy:
+            proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, testServer, 1080);
+            break;
+
+        case Socks5Proxy | AuthBasic:
+            proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, testServer, 1081);
+            break;
+
+        case HttpProxy | NoAuth:
+            proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3128);
+            break;
+
+        case HttpProxy | AuthBasic:
+            proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3129);
+            break;
+
+        case HttpProxy | AuthNtlm:
+            proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3130);
+            break;
+        }
+        QNetworkProxy::setApplicationProxy(proxy);
+    }
+
+    qt_qhostinfo_clear_cache();
+}
+
+void tst_QSslSocket_onDemandCertificates_member::cleanup()
+{
+    QNetworkProxy::setApplicationProxy(QNetworkProxy::DefaultProxy);
+}
+
+#ifndef QT_NO_OPENSSL
+QSslSocketPtr tst_QSslSocket_onDemandCertificates_member::newSocket()
+{
+    QSslSocket *socket = new QSslSocket;
+
+    proxyAuthCalled = 0;
+    connect(socket, SIGNAL(proxyAuthenticationRequired(QNetworkProxy,QAuthenticator*)),
+            SLOT(proxyAuthenticationRequired(QNetworkProxy,QAuthenticator*)),
+            Qt::DirectConnection);
+
+    return QSslSocketPtr(socket);
+}
+#endif
+
+void tst_QSslSocket_onDemandCertificates_member::proxyAuthenticationRequired(const QNetworkProxy &, QAuthenticator *auth)
+{
+    ++proxyAuthCalled;
+    auth->setUser("qsockstest");
+    auth->setPassword("password");
+}
+
+#ifndef QT_NO_OPENSSL
+
+void tst_QSslSocket_onDemandCertificates_member::onDemandRootCertLoadingMemberMethods()
+{
+    QString host("qt.nokia.com");
+
+    // not using any root certs -> should not work
+    QSslSocketPtr socket2 = newSocket();
+    this->socket = socket2;
+    socket2->setCaCertificates(QList<QSslCertificate>());
+    socket2->connectToHostEncrypted(host, 443);
+    QVERIFY(!socket2->waitForEncrypted());
+
+    // default: using on demand loading -> should work
+    QSslSocketPtr socket = newSocket();
+    this->socket = socket;
+    socket->connectToHostEncrypted(host, 443);
+    QVERIFY(socket->waitForEncrypted());
+
+    // not using any root certs again -> should not work
+    QSslSocketPtr socket3 = newSocket();
+    this->socket = socket3;
+    socket3->setCaCertificates(QList<QSslCertificate>());
+    socket3->connectToHostEncrypted(host, 443);
+    QVERIFY(!socket3->waitForEncrypted());
+}
+
+#endif // QT_NO_OPENSSL
+
+QTEST_MAIN(tst_QSslSocket_onDemandCertificates_member)
+#include "tst_qsslsocket_onDemandCertificates_member.moc"
diff --git a/tests/auto/qsslsocket_onDemandCertificates_static/qsslsocket_onDemandCertificates_static.pro b/tests/auto/qsslsocket_onDemandCertificates_static/qsslsocket_onDemandCertificates_static.pro
new file mode 100644
index 0000000..13990cb
--- /dev/null
+++ b/tests/auto/qsslsocket_onDemandCertificates_static/qsslsocket_onDemandCertificates_static.pro
@@ -0,0 +1,36 @@
+load(qttest_p4)
+
+SOURCES += tst_qsslsocket_onDemandCertificates_static.cpp
+!wince*:win32:LIBS += -lws2_32
+QT += network
+QT -= gui
+
+TARGET = tst_qsslsocket_onDemandCertificates_static
+
+win32 {
+  CONFIG(debug, debug|release) {
+    DESTDIR = debug
+} else {
+    DESTDIR = release
+  }
+}
+
+wince* {
+    DEFINES += SRCDIR=\\\"./\\\"
+
+    certFiles.files = certs ssl.tar.gz
+    certFiles.path    = .
+    DEPLOYMENT += certFiles
+} else:symbian {
+    TARGET.EPOCHEAPSIZE="0x100 0x1000000"
+    TARGET.CAPABILITY=NetworkServices
+
+    certFiles.files = certs ssl.tar.gz
+    certFiles.path    = .
+    DEPLOYMENT += certFiles
+    INCLUDEPATH *= $$MW_LAYER_SYSTEMINCLUDE  # Needed for e32svr.h in S^3 envs
+} else {
+    DEFINES += SRCDIR=\\\"$$PWD/\\\"
+}
+
+requires(contains(QT_CONFIG,private_tests))
diff --git a/tests/auto/qsslsocket_onDemandCertificates_static/tst_qsslsocket_onDemandCertificates_static.cpp b/tests/auto/qsslsocket_onDemandCertificates_static/tst_qsslsocket_onDemandCertificates_static.cpp
new file mode 100644
index 0000000..8259977
--- /dev/null
+++ b/tests/auto/qsslsocket_onDemandCertificates_static/tst_qsslsocket_onDemandCertificates_static.cpp
@@ -0,0 +1,226 @@
+/****************************************************************************
+**
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
+** All rights reserved.
+** Contact: Nokia Corporation (qt-info@nokia.com)
+**
+** This file is part of the test suite of the Qt Toolkit.
+**
+** $QT_BEGIN_LICENSE:LGPL$
+** No Commercial Usage
+** This file contains pre-release code and may not be distributed.
+** You may use this file in accordance with the terms and conditions
+** contained in the Technology Preview License Agreement accompanying
+** this package.
+**
+** GNU Lesser General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU Lesser
+** General Public License version 2.1 as published by the Free Software
+** Foundation and appearing in the file LICENSE.LGPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU Lesser General Public License version 2.1 requirements
+** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
+**
+** In addition, as a special exception, Nokia gives you certain additional
+** rights.  These rights are described in the Nokia Qt LGPL Exception
+** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
+**
+** If you have questions regarding the use of this file, please contact
+** Nokia at qt-info@nokia.com.
+**
+**
+**
+**
+**
+**
+**
+**
+** $QT_END_LICENSE$
+**
+****************************************************************************/
+
+
+#include <QtNetwork>
+#include <QtTest/QtTest>
+
+#include <QNetworkProxy>
+#include <QAuthenticator>
+
+#include "private/qhostinfo_p.h"
+
+#include "../network-settings.h"
+
+#ifdef Q_OS_SYMBIAN
+#define SRCDIR ""
+#endif
+
+#ifndef QT_NO_OPENSSL
+class QSslSocketPtr: public QSharedPointer<QSslSocket>
+{
+public:
+    inline QSslSocketPtr(QSslSocket *ptr = 0)
+        : QSharedPointer<QSslSocket>(ptr)
+    { }
+
+    inline operator QSslSocket *() const { return data(); }
+};
+#endif
+
+class tst_QSslSocket_onDemandCertificates_static : public QObject
+{
+    Q_OBJECT
+
+    int proxyAuthCalled;
+
+public:
+    tst_QSslSocket_onDemandCertificates_static();
+    virtual ~tst_QSslSocket_onDemandCertificates_static();
+
+#ifndef QT_NO_OPENSSL
+    QSslSocketPtr newSocket();
+#endif
+
+public slots:
+    void initTestCase_data();
+    void init();
+    void cleanup();
+    void proxyAuthenticationRequired(const QNetworkProxy &, QAuthenticator *auth);
+
+#ifndef QT_NO_OPENSSL
+private slots:
+    void onDemandRootCertLoadingStaticMethods();
+
+private:
+    QSslSocket *socket;
+#endif // QT_NO_OPENSSL
+};
+
+tst_QSslSocket_onDemandCertificates_static::tst_QSslSocket_onDemandCertificates_static()
+{
+    Q_SET_DEFAULT_IAP
+}
+
+tst_QSslSocket_onDemandCertificates_static::~tst_QSslSocket_onDemandCertificates_static()
+{
+}
+
+enum ProxyTests {
+    NoProxy = 0x00,
+    Socks5Proxy = 0x01,
+    HttpProxy = 0x02,
+    TypeMask = 0x0f,
+
+    NoAuth = 0x00,
+    AuthBasic = 0x10,
+    AuthNtlm = 0x20,
+    AuthMask = 0xf0
+};
+
+void tst_QSslSocket_onDemandCertificates_static::initTestCase_data()
+{
+    QTest::addColumn<bool>("setProxy");
+    QTest::addColumn<int>("proxyType");
+
+    QTest::newRow("WithoutProxy") << false << 0;
+    QTest::newRow("WithSocks5Proxy") << true << int(Socks5Proxy);
+    QTest::newRow("WithSocks5ProxyAuth") << true << int(Socks5Proxy | AuthBasic);
+
+    QTest::newRow("WithHttpProxy") << true << int(HttpProxy);
+    QTest::newRow("WithHttpProxyBasicAuth") << true << int(HttpProxy | AuthBasic);
+    // uncomment the line below when NTLM works
+//    QTest::newRow("WithHttpProxyNtlmAuth") << true << int(HttpProxy | AuthNtlm);
+}
+
+void tst_QSslSocket_onDemandCertificates_static::init()
+{
+    QFETCH_GLOBAL(bool, setProxy);
+    if (setProxy) {
+        QFETCH_GLOBAL(int, proxyType);
+        QString testServer = QHostInfo::fromName(QtNetworkSettings::serverName()).addresses().first().toString();
+        QNetworkProxy proxy;
+
+        switch (proxyType) {
+        case Socks5Proxy:
+            proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, testServer, 1080);
+            break;
+
+        case Socks5Proxy | AuthBasic:
+            proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, testServer, 1081);
+            break;
+
+        case HttpProxy | NoAuth:
+            proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3128);
+            break;
+
+        case HttpProxy | AuthBasic:
+            proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3129);
+            break;
+
+        case HttpProxy | AuthNtlm:
+            proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3130);
+            break;
+        }
+        QNetworkProxy::setApplicationProxy(proxy);
+    }
+
+    qt_qhostinfo_clear_cache();
+}
+
+void tst_QSslSocket_onDemandCertificates_static::cleanup()
+{
+    QNetworkProxy::setApplicationProxy(QNetworkProxy::DefaultProxy);
+}
+
+#ifndef QT_NO_OPENSSL
+QSslSocketPtr tst_QSslSocket_onDemandCertificates_static::newSocket()
+{
+    QSslSocket *socket = new QSslSocket;
+
+    proxyAuthCalled = 0;
+    connect(socket, SIGNAL(proxyAuthenticationRequired(QNetworkProxy,QAuthenticator*)),
+            SLOT(proxyAuthenticationRequired(QNetworkProxy,QAuthenticator*)),
+            Qt::DirectConnection);
+
+    return QSslSocketPtr(socket);
+}
+#endif
+
+void tst_QSslSocket_onDemandCertificates_static::proxyAuthenticationRequired(const QNetworkProxy &, QAuthenticator *auth)
+{
+    ++proxyAuthCalled;
+    auth->setUser("qsockstest");
+    auth->setPassword("password");
+}
+
+#ifndef QT_NO_OPENSSL
+
+void tst_QSslSocket_onDemandCertificates_static::onDemandRootCertLoadingStaticMethods()
+{
+    QString host("qt.nokia.com");
+
+    // not using any root certs -> should not work
+    QSslSocket::setDefaultCaCertificates(QList<QSslCertificate>());
+    QSslSocketPtr socket = newSocket();
+    this->socket = socket;
+    socket->connectToHostEncrypted(host, 443);
+    QVERIFY(!socket->waitForEncrypted());
+
+    // using system root certs -> should work
+    QSslSocket::setDefaultCaCertificates(QSslSocket::systemCaCertificates());
+    QSslSocketPtr socket2 = newSocket();
+    this->socket = socket2;
+    socket2->connectToHostEncrypted(host, 443);
+    QVERIFY(socket2->waitForEncrypted());
+
+    // not using any root certs again -> should not work
+    QSslSocket::setDefaultCaCertificates(QList<QSslCertificate>());
+    QSslSocketPtr socket3 = newSocket();
+    this->socket = socket3;
+    socket3->connectToHostEncrypted(host, 443);
+    QVERIFY(!socket3->waitForEncrypted());
+}
+
+#endif // QT_NO_OPENSSL
+
+QTEST_MAIN(tst_QSslSocket_onDemandCertificates_static)
+#include "tst_qsslsocket_onDemandCertificates_static.moc"
diff --git a/tests/benchmarks/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/benchmarks/network/ssl/qsslsocket/tst_qsslsocket.cpp
index 6cb62d0..041b61a 100644
--- a/tests/benchmarks/network/ssl/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/benchmarks/network/ssl/qsslsocket/tst_qsslsocket.cpp
@@ -46,7 +46,7 @@
 #include <qsslsocket.h>
 
 
-// #include "../../../../auto/network-settings.h"
+#include "../../../../auto/network-settings.h"
 
 //TESTED_CLASS=
 //TESTED_FILES=
@@ -65,6 +65,7 @@ public slots:
     void init();
     void cleanup();
 private slots:
+    void rootCertLoading();
     void systemCaCertificates();
 };
 
@@ -89,6 +90,16 @@ void tst_QSslSocket::cleanup()
 }
 
 //----------------------------------------------------------------------------------
+
+void tst_QSslSocket::rootCertLoading()
+{
+    QBENCHMARK_ONCE {
+        QSslSocket socket;
+        socket.connectToHostEncrypted(QtNetworkSettings::serverName(), 443);
+        socket.waitForEncrypted();
+    }
+}
+
 void tst_QSslSocket::systemCaCertificates()
 {
   // The results of this test change if the benchmarking system changes too much.