diff options
author | Peter Hartmann <peter.hartmann@nokia.com> | 2010-06-30 10:09:05 (GMT) |
---|---|---|
committer | Peter Hartmann <peter.hartmann@nokia.com> | 2010-06-30 11:05:17 (GMT) |
commit | 317e2c9199da58879b083b5561a69612ae0a4a41 (patch) | |
tree | 17ac1daefe782d7b20eab3f8e48d197733ec07ea /src/network | |
parent | dad49a41cc60e6297bd6d7099b6d06e0240c5f16 (diff) | |
download | Qt-317e2c9199da58879b083b5561a69612ae0a4a41.zip Qt-317e2c9199da58879b083b5561a69612ae0a4a41.tar.gz Qt-317e2c9199da58879b083b5561a69612ae0a4a41.tar.bz2 |
SSL backend: correct ordering of root CA certificates in the store
Some CAs have several root certificates with the same SubjectInfo, but
different expiration date. This means that OpenSSL needs to choose the
valid root certificate over the expired ones when verifying a
certificate chain. Apparently, the certs added to the store first are
the ones that get used first, so we add the expired ones at the end.
Reviewed-by: Thiago Macieira
Task-number: QTBUG-11664
Diffstat (limited to 'src/network')
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index fa26fe8..30428ff 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -299,8 +299,20 @@ init_context: } // Add all our CAs to this store. - foreach (const QSslCertificate &caCertificate, q->caCertificates()) + QList<QSslCertificate> expiredCerts; + foreach (const QSslCertificate &caCertificate, q->caCertificates()) { + // add expired certs later, so that the + // valid ones are used before the expired ones + if (! caCertificate.isValid()) { + expiredCerts.append(caCertificate); + } else { + q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle()); + } + } + // now add the expired certs + foreach (const QSslCertificate &caCertificate, expiredCerts) { q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle()); + } // Register a custom callback to get all verification errors. X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback); @@ -597,7 +609,7 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() if(!pc) break; QByteArray der((const char *)(pc->pbCertEncoded), static_cast<int>(pc->cbCertEncoded)); - QSslCertificate cert(der,QSsl::Der); + QSslCertificate cert(der, QSsl::Der); systemCerts.append(cert); } ptrCertCloseStore(hSystemStore, 0); |