From 42d4639fd95b098ff087afa9fc325adf906e2f55 Mon Sep 17 00:00:00 2001 From: Shane Kearns Date: Fri, 27 Apr 2012 20:05:05 +0100 Subject: [PATCH] Fix windows cert fetcher if site presents full chain If a website presents the complete certificate chain in the handshake i.e. site -> intermediate CA -> root CA then openssl gives a different error (SelfSignedCertificateInChain) Because of this windows feature, that either means the site is signed by an untrusted CA, or the CA trust status is unknown because we don't have the root cert in the cert store. In any case, calling the windows verification function results in a trusted chain & the root being added to the cert store. Task-number: QTBUG-24827 Change-Id: I2663ea2f86cd0b4dfde105d858ec1b39a340c1f6 Reviewed-by: Richard J. Moore --- src/network/ssl/qsslsocket_openssl.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 59f6f53..eddedac 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1252,7 +1252,8 @@ bool QSslSocketBackendPrivate::startHandshake() bool fetchCertificate = true; for (int i=0; i< sslErrors.count(); i++) { switch (sslErrors.at(i).error()) { - case QSslError::UnableToGetLocalIssuerCertificate: + case QSslError::UnableToGetLocalIssuerCertificate: // site presented intermediate cert, but root is unknown + case QSslError::SelfSignedCertificateInChain: // site presented a complete chain, but root is unknown certToFetch = sslErrors.at(i).certificate(); break; case QSslError::SelfSignedCertificate: @@ -1344,6 +1345,7 @@ void QSslSocketBackendPrivate::_q_caRootLoaded(QSslCertificate cert, QSslCertifi case QSslError::UnableToGetLocalIssuerCertificate: case QSslError::CertificateUntrusted: case QSslError::UnableToVerifyFirstCertificate: + case QSslError::SelfSignedCertificateInChain: // error can be ignored if OS says the chain is trusted sslErrors.removeAt(i); break; -- 2.7.4