summaryrefslogtreecommitdiffstats
path: root/src/network
diff options
context:
space:
mode:
authorPeter Hartmann <peter.hartmann@nokia.com>2010-06-30 10:09:05 (GMT)
committerPeter Hartmann <peter.hartmann@nokia.com>2010-06-30 11:05:17 (GMT)
commit317e2c9199da58879b083b5561a69612ae0a4a41 (patch)
tree17ac1daefe782d7b20eab3f8e48d197733ec07ea /src/network
parentdad49a41cc60e6297bd6d7099b6d06e0240c5f16 (diff)
downloadQt-317e2c9199da58879b083b5561a69612ae0a4a41.zip
Qt-317e2c9199da58879b083b5561a69612ae0a4a41.tar.gz
Qt-317e2c9199da58879b083b5561a69612ae0a4a41.tar.bz2
SSL backend: correct ordering of root CA certificates in the store
Some CAs have several root certificates with the same SubjectInfo, but different expiration date. This means that OpenSSL needs to choose the valid root certificate over the expired ones when verifying a certificate chain. Apparently, the certs added to the store first are the ones that get used first, so we add the expired ones at the end. Reviewed-by: Thiago Macieira Task-number: QTBUG-11664
Diffstat (limited to 'src/network')
-rw-r--r--src/network/ssl/qsslsocket_openssl.cpp16
1 files changed, 14 insertions, 2 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index fa26fe8..30428ff 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -299,8 +299,20 @@ init_context:
}
// Add all our CAs to this store.
- foreach (const QSslCertificate &caCertificate, q->caCertificates())
+ QList<QSslCertificate> expiredCerts;
+ foreach (const QSslCertificate &caCertificate, q->caCertificates()) {
+ // add expired certs later, so that the
+ // valid ones are used before the expired ones
+ if (! caCertificate.isValid()) {
+ expiredCerts.append(caCertificate);
+ } else {
+ q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle());
+ }
+ }
+ // now add the expired certs
+ foreach (const QSslCertificate &caCertificate, expiredCerts) {
q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle());
+ }
// Register a custom callback to get all verification errors.
X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback);
@@ -597,7 +609,7 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates()
if(!pc)
break;
QByteArray der((const char *)(pc->pbCertEncoded), static_cast<int>(pc->cbCertEncoded));
- QSslCertificate cert(der,QSsl::Der);
+ QSslCertificate cert(der, QSsl::Der);
systemCerts.append(cert);
}
ptrCertCloseStore(hSystemStore, 0);