Details
-
Bug
-
Resolution: Done
-
P2: Important
-
5.0.0
-
None
-
19a562a92318f417bb4dca0cae2b97f28a98a7e2
Description
QSslSocket::verify uses defaultCaCertificates() to populate the certificate
store with root certificates. However, when
QSslSocketPrivate::ensureCiphersAndCertsLoaded() decides that on-demand loading
of roots is possible, defaultCaCertificates() returns an empty list.
As a result, QSslSocket::verify will fail since it
doesn't use the same roots as a regular SSL connection handshake.
QSslSocket::verify should probably use the same method as
QSslSocketBackendPrivate::initSslContext:
if (s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) { // tell OpenSSL the directories where to look up the root certs on demand QList<QByteArray> unixDirs = unixRootCertDirectories(); for (int a = 0; a < unixDirs.count(); ++a) q_SSL_CTX_load_verify_locations(ctx, 0, unixDirs.at(a).constData()); }
Attached example to reproduce.
Attachments
For Gerrit Dashboard: QTBUG-24350 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
17081,3 | QSslSocket::verify certificates when on-demand loading is used | master | qt/qtbase | Status: MERGED | +2 | 0 |
17767,1 | QSslSocket::verify certificates when on-demand loading is used | api_changes | qt/qtbase | Status: ABANDONED | 0 | 0 |