diff options
author | Shane Kearns <ext-shane.2.kearns@nokia.com> | 2012-04-18 15:33:24 +0100 |
---|---|---|
committer | Qt by Nokia <qt-info@nokia.com> | 2012-05-03 16:11:58 +0200 |
commit | ee0514d63c406fd43c6a1d8005c18d602f4b3c35 (patch) | |
tree | 36b24bf96d7c5f6c5639024609cc2f832c83619b | |
parent | d1e8d9a3472a6fbc51f9050c82c1ba9daa0b0017 (diff) |
Optimise windows cert fetching and fix test case.
If we're not going to verify the peer, or we know in advance that
windows won't have a CA root then don't ask it to verify the
certificate chain.
The test case started failing in CI when the windows cert fetcher
was integrated due to timing change. I've relaxed the timing
requirement of the test to avoid it being unstable.
Task-number: QTBUG-24827
Change-Id: I694f193f7d96962667f00aa01b9483b326e3e054
Reviewed-by: Martin Petersson <Martin.Petersson@nokia.com>
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 26 | ||||
-rw-r--r-- | tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp | 3 |
2 files changed, 23 insertions, 6 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index bac837e62f..59f6f53fef 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1239,7 +1239,8 @@ bool QSslSocketBackendPrivate::startHandshake() #ifdef Q_OS_WIN //Skip this if not using system CAs, or if the SSL errors are configured in advance to be ignorable - if (s_loadRootCertsOnDemand + if (doVerifyPeer + && s_loadRootCertsOnDemand && allowRootCertOnDemandLoading && !verifyErrorsHaveBeenIgnored()) { //Windows desktop versions starting from vista ship with minimal set of roots @@ -1247,12 +1248,29 @@ bool QSslSocketBackendPrivate::startHandshake() //trusted by MS. //However, this is only transparent if using WinINET - we have to trigger it //ourselves. + QSslCertificate certToFetch; + bool fetchCertificate = true; for (int i=0; i< sslErrors.count(); i++) { - if (sslErrors.at(i).error() == QSslError::UnableToGetLocalIssuerCertificate) { - fetchCaRootForCert(sslErrors.at(i).certificate()); - return false; + switch (sslErrors.at(i).error()) { + case QSslError::UnableToGetLocalIssuerCertificate: + certToFetch = sslErrors.at(i).certificate(); + break; + case QSslError::SelfSignedCertificate: + case QSslError::CertificateBlacklisted: + //With these errors, we know it will be untrusted so save time by not asking windows + fetchCertificate = false; + break; + default: +#ifdef QSSLSOCKET_DEBUG + qDebug() << sslErrors.at(i).errorString(); +#endif + break; } } + if (fetchCertificate && !certToFetch.isNull()) { + fetchCaRootForCert(certToFetch); + return false; + } } #endif diff --git a/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp b/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp index 824f5fc507..90cecba72c 100644 --- a/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp +++ b/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp @@ -4410,9 +4410,8 @@ void tst_QNetworkReply::ioPostToHttpsUploadProgress() incomingSocket->setReadBufferSize(1*1024); - QTestEventLoop::instance().enterLoop(2); // some progress should have been made - QVERIFY(!spy.isEmpty()); + QTRY_VERIFY(!spy.isEmpty()); QList<QVariant> args = spy.last(); QVERIFY(args.at(0).toLongLong() > 0); // but not everything! |