Some SSL certificates fails autentication on Windows 7.

In QSslSocketBackendPrivate::initSslContext() Qt will add both valid and expired certificates to the x509 store. It attempts to add expired certificates after those that are valid. However, in openssl, this has no affect because the stack used to hold these certificates is sorted, so it doesn't matter what order you push them in. The x509 store in openssl is sorted by the x509_object_cmp comparer, which will sort them by subject name. If you have multiple certificates with different expiration dates with the same subject name, it is effectively random which one it will get during X509_STORE_get_by_subject during X509_verify_cert.

Specifically this issue came to light using a VeriSign certificate. I has been verified on several different machines from different sources, and it appears that the VeriSign 'Class 3 Public Primary Certification Authority' certificate is installed in the Root system store on Windows 7 by default multiple times, including one that is expired. It also appears to frequently (normally) get sorted above the valid certificate, so when present, it blocks validation for this site. Looking around the web, I have seen several discussions or validation problems that sound like they might have the same root cause.

The solution would seem to be to only push invalid certificates if there are no valid certificates with the same subject name already in the store. So in the 'now add the expired certs' block, you can first check with x509_STORE_get_by_subject to verify whether or not to push this invalid cert. (This would probably allow you to skip the MAC version exclusion, and the comments above about 'adding later' would need to be clarified.)