From 317e2c9199da58879b083b5561a69612ae0a4a41 Mon Sep 17 00:00:00 2001 From: Peter Hartmann Date: Wed, 30 Jun 2010 12:09:05 +0200 Subject: SSL backend: correct ordering of root CA certificates in the store Some CAs have several root certificates with the same SubjectInfo, but different expiration date. This means that OpenSSL needs to choose the valid root certificate over the expired ones when verifying a certificate chain. Apparently, the certs added to the store first are the ones that get used first, so we add the expired ones at the end. Reviewed-by: Thiago Macieira Task-number: QTBUG-11664 --- src/network/ssl/qsslsocket_openssl.cpp | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index fa26fe8..30428ff 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -299,8 +299,20 @@ init_context: } // Add all our CAs to this store. - foreach (const QSslCertificate &caCertificate, q->caCertificates()) + QList expiredCerts; + foreach (const QSslCertificate &caCertificate, q->caCertificates()) { + // add expired certs later, so that the + // valid ones are used before the expired ones + if (! caCertificate.isValid()) { + expiredCerts.append(caCertificate); + } else { + q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle()); + } + } + // now add the expired certs + foreach (const QSslCertificate &caCertificate, expiredCerts) { q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle()); + } // Register a custom callback to get all verification errors. X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback); @@ -597,7 +609,7 @@ QList QSslSocketPrivate::systemCaCertificates() if(!pc) break; QByteArray der((const char *)(pc->pbCertEncoded), static_cast(pc->cbCertEncoded)); - QSslCertificate cert(der,QSsl::Der); + QSslCertificate cert(der, QSsl::Der); systemCerts.append(cert); } ptrCertCloseStore(hSystemStore, 0); -- cgit v0.12