Details
-
Bug
-
Resolution: Done
-
P2: Important
-
4.6.2
-
None
-
5773a5cd50fac6d7348805f785df0cf29f4388b9
Description
The failure is caused by the way OpenSSL construct the client certificate chain before sending it to the server, and how Qt handles verification errors in its callback. If OpenSSL cannot complete the chain, TLS connections fail with an error message, "The issuer certificate of a locally looked up certificate could not be found".
In QSslSocketBackendPrivate::initSslContext() in qsslsocket_openssl.cpp, Qt registers a callback:
// Register a custom callback to get all verification errors.
X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback);
In ssl3_output_cert_chain() in s3_both.c, OpenSSL verifies the client certificate:
if (!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,x,NULL))
{ SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB); return(0); } X509_verify_cert(&xs_ctx);
/* Don't leave errors in the queue */
ERR_clear_error();
X509_verify_cert() is only called to complete the chain as far as possible, and the intent is to ignore verification errors. But the side effects of the Qt-registered callbacks persist, leading to the failure.
Related mailing list discussions:
http://marc.info/?t=137604275300009&r=1&w=2 (on openssl-users)
http://lists.qt-project.org/pipermail/development/2013-August/012423.html
Attachments
Issue Links
- relates to
-
-
- Closed
-