Ssl: Copy the on-demand cert loading bool from default config

Otherwise individual sockets will still load system certificates when a chain doesn't match against the configured CA certificates. That's not intended behavior, since specifically setting the CA certificates means you don't want the system certificates to be used. Follow-up to/amends ada2c573c1a25f8d96577734968fe317ddfa292a This is potentially a breaking change because now, if you ever add a CA to the default config, it will disable loading system certificates on demand for all sockets. And the only way to re-enable it is to create a null-QSslConfiguration and set it as the new default. Pick-to: 6.5 6.2 5.15 Change-Id: Ic3b2ab125c0cdd58ad654af1cb36173960ce2d1e Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
author: Mårten Nordheim <marten.nordheim@qt.io> 2023-05-25 14:40:29 +0200
committer: Mårten Nordheim <marten.nordheim@qt.io> 2023-05-29 16:03:35 +0200
commit: 57ba6260c0801055b7188fdaa1818b940590f5f1 (patch)
tree: 71728d4d1b1a526c7cdb5f6f8f635c7a014acab5
parent: 51becfbd234d9152726446af0e3718644fcf00df (diff)
2 files changed, 26 insertions, 3 deletions
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 4eefe43929..0563fd0663 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -1973,6 +1973,10 @@ QSslSocketPrivate::QSslSocketPrivate()
     , flushTriggered(false)
 {
     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
+    // If the global configuration doesn't allow root certificates to be loaded
+    // on demand then we have to disable it for this socket as well.
+    if (!configuration.allowRootCertOnDemandLoading)
+        allowRootCertOnDemandLoading = false;
 
     const auto *tlsBackend = tlsBackendInUse();
     if (!tlsBackend) {
@@ -2281,6 +2285,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
     ptr->sessionProtocol = global->sessionProtocol;
     ptr->ciphers = global->ciphers;
     ptr->caCertificates = global->caCertificates;
+    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
     ptr->protocol = global->protocol;
     ptr->peerVerifyMode = global->peerVerifyMode;
     ptr->peerVerifyDepth = global->peerVerifyDepth;
diff --git a/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp b/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp
index 2307cbb191..4d4aaca7e3 100644
--- a/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp
+++ b/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp
@@ -16,6 +16,9 @@
 // but the other side presents a certificate signed by a different CA.
 constexpr bool TestServerPresentsIncorrectCa = false;
 constexpr bool TestClientPresentsIncorrectCa = true;
+// Decides whether or not to put the root CA into the global ssl configuration
+// or into the socket's specific ssl configuration.
+constexpr bool UseGlobalConfiguration = true;
 
 class ServerThread : public QThread
 {
@@ -26,8 +29,10 @@ public:
         QSslServer server;
 
         QSslConfiguration config = server.sslConfiguration();
-        QList<QSslCertificate> certs = QSslCertificate::fromPath(QStringLiteral(":/rootCA.pem"));
-        config.setCaCertificates(certs);
+        if (!UseGlobalConfiguration) {
+            QList<QSslCertificate> certs = QSslCertificate::fromPath(QStringLiteral(":/rootCA.pem"));
+            config.setCaCertificates(certs);
+        }
         config.setLocalCertificate(QSslCertificate::fromPath(QStringLiteral(":/127.0.0.1.pem"))
                                            .first());
         QFile keyFile(QStringLiteral(":/127.0.0.1-key.pem"));
@@ -73,6 +78,12 @@ int main(int argc, char **argv)
     if (!QFileInfo(u":/rootCA.pem"_s).exists())
         qFatal("rootCA.pem not found. Did you run generate.sh in the certs directory?");
 
+    if (UseGlobalConfiguration) {
+        QSslConfiguration config = QSslConfiguration::defaultConfiguration();
+        config.setCaCertificates(QSslCertificate::fromPath(u":/rootCA.pem"_s));
+        QSslConfiguration::setDefaultConfiguration(config);
+    }
+
     ServerThread serverThread;
     serverThread.start();
 
@@ -88,12 +99,19 @@ int main(int argc, char **argv)
         keyFileName = u":/accepted-client-key.pem"_s;
     }
     config.setLocalCertificate(QSslCertificate::fromPath(certificatePath).first());
-    if (TestServerPresentsIncorrectCa) // true: Verify server using incorrect CA: should fail
+    if (!UseGlobalConfiguration && TestServerPresentsIncorrectCa) {
+        // Verify server using incorrect CA: should fail
         config.setCaCertificates(QSslCertificate::fromPath(u":/rootCA.pem"_s));
+    } else if (UseGlobalConfiguration && !TestServerPresentsIncorrectCa) {
+        // Verify server using correct CA, we need to explicitly set the
+        // system CAs when the global config is overridden.
+        config.setCaCertificates(QSslConfiguration::systemCaCertificates());
+    }
     QFile keyFile(keyFileName);
     if (!keyFile.open(QIODevice::ReadOnly))
         qFatal("Failed to open key file");
     config.setPrivateKey(QSslKey(&keyFile, QSsl::Rsa));
+
     socket.setSslConfiguration(config);
 
     QObject::connect(&socket, &QSslSocket::encrypted, []() { qDebug() << "[c] encrypted"; });
author	Mårten Nordheim <marten.nordheim@qt.io>	2023-05-25 14:40:29 +0200
committer	Mårten Nordheim <marten.nordheim@qt.io>	2023-05-29 16:03:35 +0200
commit	57ba6260c0801055b7188fdaa1818b940590f5f1 (patch)
tree	71728d4d1b1a526c7cdb5f6f8f635c7a014acab5
parent	51becfbd234d9152726446af0e3718644fcf00df (diff)