We have been getting a number of complaints lately from customers running Windows 7, getting SSL certificate validation errors.
It seems that newer Windows editions do not longer update the complete root certificate list regularly (e.g. Valicert/Starfield is missing), but download missing certificates on-demand.
Problem occurs if:
- customer has never visited the SSL site before with another application.
- customer uses our application to access a SSL site.
The problem does not occur if:
- customer visits the SSL site first with Internet Explorer, this auto-installs the missing certificate.
- and then uses our application.
As a workaround we currently ship the missing certificates with our application, and that seems to work.
However for a long term solution I think Qt should use the CryptoAPI to ask for a specific certificate, instead of consulting the local list like it does now, to trigger the update.
I see there is already a related bug for on-demand loading: http://bugreports.qt.nokia.com/browse/QTBUG-14016
But it has been marked as done for Qt 4.8. Any chance of adding it to Qt 4.7 as well, as having working certificate validation is quite essential?