projects / profile / ivi / qtbase.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f503e90)
Fix windows cert fetcher if site presents full chain
authorShane Kearns <ext-shane.2.kearns@nokia.com>
Fri, 27 Apr 2012 19:05:05 +0000 (20:05 +0100)
committerQt by Nokia <qt-info@nokia.com>
Fri, 4 May 2012 01:10:39 +0000 (03:10 +0200)
If a website presents the complete certificate chain in the handshake
i.e. site -> intermediate CA -> root CA then openssl gives
a different error (SelfSignedCertificateInChain)

Because of this windows feature, that either means the site is
signed by an untrusted CA, or the CA trust status is unknown because
we don't have the root cert in the cert store.

In any case, calling the windows verification function results
in a trusted chain & the root being added to the cert store.

Task-number: QTBUG-24827
Change-Id: I2663ea2f86cd0b4dfde105d858ec1b39a340c1f6
Reviewed-by: Richard J. Moore <rich@kde.org>
src/network/ssl/qsslsocket_openssl.cpp patch | blob | history

diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 59f6f53..eddedac 100644 (file)
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -1252,7 +1252,8 @@ bool QSslSocketBackendPrivate::startHandshake()
             bool fetchCertificate = true;
             for (int i=0; i< sslErrors.count(); i++) {
                 switch (sslErrors.at(i).error()) {
-                case QSslError::UnableToGetLocalIssuerCertificate:
+                case QSslError::UnableToGetLocalIssuerCertificate: // site presented intermediate cert, but root is unknown
+                case QSslError::SelfSignedCertificateInChain: // site presented a complete chain, but root is unknown
                     certToFetch = sslErrors.at(i).certificate();
                     break;
                 case QSslError::SelfSignedCertificate:
@@ -1344,6 +1345,7 @@ void QSslSocketBackendPrivate::_q_caRootLoaded(QSslCertificate cert, QSslCertifi
                 case QSslError::UnableToGetLocalIssuerCertificate:
                 case QSslError::CertificateUntrusted:
                 case QSslError::UnableToVerifyFirstCertificate:
+                case QSslError::SelfSignedCertificateInChain:
                     // error can be ignored if OS says the chain is trusted
                     sslErrors.removeAt(i);
                     break;
Domain: UI Framework / Uncategorized;