Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-95160

Simplify server-side TLS certificate changes

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reported
    • Priority: P2: Important
    • Resolution: Unresolved
    • Affects Version/s: 5.12, 5.15, 6.1, 6.2
    • Fix Version/s: None
    • Component/s: Network: SSL
    • Labels:
      None
    • Platform/s:
      All

      Description

      Currently when changing certificates in the test server we need to go through a few steps:

      1. Generate the new server certificate with whatever changes are needed (or just regenerate if expired)
      2. prepare all current branches for the change (e.g. must be able to accept one of two certificates in the ServerHello).
        1. It needs to be in all branches before the next step to avoid breaking CI for everyone else
      3. Deploy the certificate to the server
        1. Done through one of the qtqa repositories
      4. Switch over the test to only use the new certificate

      However, if we use a long-lived certificate authority which we can add to trusted CAs in the test, and don't keep a copy of the server's certificate in the source we can skip step 2 and 4. The process would be more like this

      1. Generate the new server certificate with whatever changes needed
      2. Sign the certificate using our certificate authority
      3. Deploy to server

      All branches still trust the CA so the new certificate will automatically be accepted. If we need to test specific things about a certificate (such as comparing fields and/or testing parsing) then this test should be done in-process.

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            manordheim Mårten Nordheim
            Reporter:
            manordheim Mårten Nordheim
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Gerrit Reviews

                There are no open Gerrit changes