QSslConfiguration: toggle on demand loading of root certs properly

make sure we keep track of when we can load root certs and when we
cannot (we cannot when the developer set the certs explicitly). This is
implemented the same way for QSslSocket already, and needs to be
duplicated because we have 2 methods for setting CA certificates: one in
QSslSocket and one in QSslConfiguration.
In addition, adapt the auto test which checks whether setting a default
QSslConfiguration works: There is no way to set on demand loading
through the API, so it should be enabled by default.

Task-number: QTBUG-29103
(backport of commit ce35c0db0d9dd849c736eabaeb57d597186aaa13)

Change-Id: Idf15c21092c7727e1080b1c261ce055f30dbcf63
Reviewed-by: Richard J. Moore <rich@kde.org>

2 files changed, 69 insertions, 5 deletions

diff --git a/tests/auto/qsslsocket_onDemandCertificates_member/tst_qsslsocket_onDemandCertificates_member.cpp b/tests/auto/qsslsocket_onDemandCertificates_member/tst_qsslsocket_onDemandCertificates_member.cpp
index bd51356..280a399 100644
--- a/tests/auto/qsslsocket_onDemandCertificates_member/tst_qsslsocket_onDemandCertificates_member.cpp
+++ b/tests/auto/qsslsocket_onDemandCertificates_member/tst_qsslsocket_onDemandCertificates_member.cpp
@@ -46,7 +46,10 @@
 #include <QNetworkProxy>
 #include <QAuthenticator>
 
+#ifdef QT_BUILD_INTERNAL
 #include "private/qhostinfo_p.h"
+#include "private/qsslsocket_p.h"
+#endif
 
 #include "../network-settings.h"
 
@@ -218,12 +221,31 @@ void tst_QSslSocket_onDemandCertificates_member::onDemandRootCertLoadingMemberMe
     socket3->connectToHostEncrypted(host, 443);
     QVERIFY(!socket3->waitForEncrypted());
 
-    // setting empty SSL configuration explicitly -> should not work
+    // setting empty SSL configuration explicitly -> depends on on-demand loading
     QSslSocketPtr socket4 = newSocket();
-    this->socket = socket4;
-    socket4->setSslConfiguration(QSslConfiguration());
+    this->socket = socket4.data();
+    QSslConfiguration conf;
+    socket4->setSslConfiguration(conf);
     socket4->connectToHostEncrypted(host, 443);
-    QVERIFY(!socket4->waitForEncrypted());
+#ifdef QT_BUILD_INTERNAL
+    bool rootCertLoadingAllowed = QSslSocketPrivate::rootCertOnDemandLoadingSupported();
+#if defined(Q_OS_LINUX) || defined (Q_OS_BLACKBERRY)
+    QCOMPARE(rootCertLoadingAllowed, true);
+#elif defined(Q_OS_MAC)
+    QCOMPARE(rootCertLoadingAllowed, false);
+#endif // other platforms: undecided (Windows: depends on the version)
+    // when we allow on demand loading, it is enabled by default,
+    // so on Unix it will work without setting any certificates. Otherwise,
+    // the configuration contains an empty set of certificates
+    // and will fail.
+    bool works;
+#if defined (Q_OS_WIN)
+    works = false; // on Windows, this won't work even though we use on demand loading
+#else
+    works = rootCertLoadingAllowed;
+#endif
+    QCOMPARE(socket4->waitForEncrypted(), works);
+#endif // QT_BUILD_INTERNAL
 }
 
 #endif // QT_NO_OPENSSL
diff --git a/tests/manual/qnetworkreply/main.cpp b/tests/manual/qnetworkreply/main.cpp
index 0226d90..9d395ee 100644
--- a/tests/manual/qnetworkreply/main.cpp
+++ b/tests/manual/qnetworkreply/main.cpp
@@ -46,8 +46,13 @@
 #include <QtNetwork/qnetworkreply.h>
 #include <QtNetwork/qnetworkrequest.h>
 #include <QtNetwork/qnetworkaccessmanager.h>
+#include <QtNetwork/qsslconfiguration.h>
 #include "../../auto/network-settings.h"
 
+#ifdef QT_BUILD_INTERNAL
+#include "private/qsslsocket_p.h"
+#endif
+
 #define BANDWIDTH_LIMIT_BYTES (1024*100)
 #define TIME_ESTIMATION_SECONDS (97)
 
@@ -57,7 +62,8 @@ class tst_qnetworkreply : public QObject
     private slots:
     void limiting_data();
     void limiting();
-
+    void setSslConfiguration_data();
+    void setSslConfiguration();
 };
 
 QNetworkReply *reply;
@@ -124,6 +130,42 @@ void tst_qnetworkreply::limiting()
     QVERIFY(!QTestEventLoop::instance().timeout());
 }
 
+void tst_qnetworkreply::setSslConfiguration_data()
+{
+    QTest::addColumn<QUrl>("url");
+    QTest::addColumn<bool>("works");
+
+    QTest::newRow("codereview.qt-project.org") << QUrl("https://codereview.qt-project.org") << true;
+    QTest::newRow("test-server") << QUrl("https://" + QtNetworkSettings::serverName() + "/") << false;
+}
+
+void tst_qnetworkreply::setSslConfiguration()
+{
+    QFETCH(QUrl, url);
+    QNetworkRequest request(url);
+    QSslConfiguration conf = request.sslConfiguration();
+    conf.setProtocol(QSsl::TlsV1); // TLS 1.0 will be used anyway, just make sure we change the configuration
+    request.setSslConfiguration(conf);
+    QNetworkAccessManager manager;
+    reply = manager.get(request);
+    QObject::connect(reply, SIGNAL(finished()), &QTestEventLoop::instance(), SLOT(exitLoop()));
+    QTestEventLoop::instance().enterLoop(15);
+    QVERIFY(!QTestEventLoop::instance().timeout());
+#ifdef QT_BUILD_INTERNAL
+    QFETCH(bool, works);
+    bool rootCertLoadingAllowed = QSslSocketPrivate::rootCertOnDemandLoadingSupported();
+#if defined(Q_OS_LINUX) || defined (Q_OS_BLACKBERRY)
+    QCOMPARE(rootCertLoadingAllowed, true);
+#elif defined(Q_OS_MAC)
+    QCOMPARE(rootCertLoadingAllowed, false);
+#endif // other platforms: undecided (Windows: depends on the version)
+    if (works) {
+        QCOMPARE(reply->error(), QNetworkReply::NoError);
+    } else {
+        QCOMPARE(reply->error(), QNetworkReply::SslHandshakeFailedError);
+    }
+#endif
+}
 
 QTEST_MAIN(tst_qnetworkreply)