Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-24350

QSslCertificate::verify does not find any roots when on-demand loading is used

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P2: Important
    • 5.0.0
    • 5.0.0
    • Network: SSL
    • None
    • 19a562a92318f417bb4dca0cae2b97f28a98a7e2

    Description

      QSslSocket::verify uses defaultCaCertificates() to populate the certificate
      store with root certificates. However, when
      QSslSocketPrivate::ensureCiphersAndCertsLoaded() decides that on-demand loading
      of roots is possible, defaultCaCertificates() returns an empty list.

      As a result, QSslSocket::verify will fail since it
      doesn't use the same roots as a regular SSL connection handshake.

      QSslSocket::verify should probably use the same method as
      QSslSocketBackendPrivate::initSslContext:

          if (s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) {
        // tell OpenSSL the directories where to look up the root certs on
demand
        QList<QByteArray> unixDirs = unixRootCertDirectories();
        for (int a = 0; a < unixDirs.count(); ++a)
            q_SSL_CTX_load_verify_locations(ctx, 0,
unixDirs.at(a).constData());
    }

      Attached example to reproduce.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            xcm Martin Petersson (Inactive)
            xcm Martin Petersson (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes