projects / profile / ivi / qtbase.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c87bf2e)
Fix renewed SSL certificates being incorrectly reported as expired
authorShane Kearns <shane.kearns@accenture.com>
Fri, 6 Jan 2012 16:29:43 +0000 (16:29 +0000)
committerQt by Nokia <qt-info@nokia.com>
Fri, 6 Jan 2012 18:24:23 +0000 (19:24 +0100)
OpenSSL tries certificates in the order they are added to the store.
There was logic to add the expired certificates after the valid ones
to ensure the valid certificate is checked first if the OS cert store
contains both the expired and renewed version of the same cert (e.g.
the verisign class 3 cert on windows)

However due to a coding error, the ordering was reversed, ensuring the
problem is always encountered instead of always avoided.

Task-number: QTBUG-20012
Change-Id: I7c8dba8a09842540a22b44d33c7dcb22bbbc6a58
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
src/network/ssl/qsslsocket_openssl.cpp patch | blob | history

diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index f22d0bd..ab40f15 100644 (file)
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -343,7 +343,7 @@ init_context:
     foreach (const QSslCertificate &caCertificate, q->caCertificates()) {
         // add expired certs later, so that the
         // valid ones are used before the expired ones
-        if (caCertificate.expiryDate() > QDateTime::currentDateTime()) {
+        if (caCertificate.expiryDate() < QDateTime::currentDateTime()) {
             expiredCerts.append(caCertificate);
         } else {
             q_X509_STORE_add_cert(ctx->cert_store, reinterpret_cast<X509 *>(caCertificate.handle()));
@@ -1354,7 +1354,7 @@ QList<QSslError> QSslSocketBackendPrivate::verify(QList<QSslCertificate> certifi
     foreach (const QSslCertificate &caCertificate, QSslSocket::defaultCaCertificates()) {
         // add expired certs later, so that the
         // valid ones are used before the expired ones
-        if (caCertificate.expiryDate() > QDateTime::currentDateTime()) {
+        if (caCertificate.expiryDate() < QDateTime::currentDateTime()) {
             expiredCerts.append(caCertificate);
         } else {
             q_X509_STORE_add_cert(certStore, reinterpret_cast<X509 *>(caCertificate.handle()));
Domain: UI Framework / Uncategorized;