summaryrefslogtreecommitdiffstats
path: root/src/network/ssl/qsslsocket_openssl.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/network/ssl/qsslsocket_openssl.cpp')
-rw-r--r--src/network/ssl/qsslsocket_openssl.cpp16
1 files changed, 10 insertions, 6 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 141d80a..b8e6c4c 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -1193,12 +1193,16 @@ bool QSslSocketBackendPrivate::startHandshake()
X509 *x509 = q_SSL_get_peer_certificate(ssl);
configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509);
q_X509_free(x509);
- if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {
- q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted"));
- q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
- emit q->error(QAbstractSocket::SslHandshakeFailedError);
- plainSocket->disconnectFromHost();
- return false;
+
+ // check the whole chain for blacklisting (including root, as we check for subjectInfo and issuer)
+ foreach (const QSslCertificate &cert, configuration.peerCertificateChain) {
+ if (QSslCertificatePrivate::isBlacklisted(cert)) {
+ q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted"));
+ q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
+ emit q->error(QAbstractSocket::SslHandshakeFailedError);
+ plainSocket->disconnectFromHost();
+ return false;
+ }
}
// Start translating errors.
generated by cgit v0.12 at 2025-01-10 11:40:38 (GMT)