Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-24827

Windows 7, Windows Vista - most https urls give untrusted root CA error on new OS installation

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2: Important
    • Resolution: Done
    • Affects Version/s: 4.8.0, 5.0.0
    • Fix Version/s: 5.0.0
    • Component/s: Network: SSL
    • Labels:
      None
    • Commits:
      7386ab17df94e58efeb2f2fba91b9f816834c077

      Description

      Since windows vista, the windows certificate store contains only a handful of trusted roots by default.
      When accessing an SSL website using internet explorer, the untrusted root is checked with microsoft on demand whether it should be trusted or not (somehow using windows update, don't have the details yet). If it is determined to be good, then it is added to the local cert store as a 3rd party root certificate and trusted automatically.
      Presumably the result of this verification can also be an explicit distrust (for known compromised CAs) or unknown (e.g. an intranet CA)

      There are root certificate bundle updates from MS which can be manually installed, but these are only installed automatically on windows XP.

      In corporate environments, CA bundles can be pushed using group policy (again, don't have details, but the MS web page suggests disabling the on demand verification and using this mechanism instead if you (as a sysadmin) want to decide for yourself which CAs to trust)

      Workaround for this problem is to install the most recent "Update for Root Certificates For Windows XP" package from Microsoft, which will install all the currently trusted certificates.

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              Assignee:
              shkearns Shane Kearns
              Reporter:
              shkearns Shane Kearns
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes