Details
-
Suggestion
-
Resolution: Done
-
P4: Low
-
4.7.0
-
None
-
60d972c8a39a691ea5a7afb79138fcd77a529605
Description
It's possible to hook into the OpenSSL handshake process and obtain the identification of the root CA certificate being requested, and only then load it from the system CA certificate store.
I'm not sure which API can do this in OpenSSL, but on Unix an strace of the /usr/bin/openssl tool (when passed the -CApath argument) reveals that it does load certs on-demand. E.g.:
$ strace -e open openssl s_client -connect bugs.kde.org:443 -CApath /etc/ssl/certs/ 2>&1 | grep etc/ssl/certs open("/etc/ssl/certs//bcdd5959.0", O_RDONLY|O_LARGEFILE) = 4
The full loading of CA certificates should only be triggered if the user tries to obtain the list, via QSslConfiguration::defaultConfiguration().caCertificates() or QSslSocket::defaultCaCertificates(). In other words, we should keep a flag indicating whether on-demand loading has been done.
Note: on-demand loading must not break thread-safety.
Attachments
Issue Links
- relates to
-
QTBUG-14013 Qt processes the system's CA certificate store more than once
- Closed