diff options
author | Mårten Nordheim <marten.nordheim@qt.io> | 2023-05-25 14:40:29 +0200 |
---|---|---|
committer | Mårten Nordheim <marten.nordheim@qt.io> | 2023-05-29 16:03:35 +0200 |
commit | 57ba6260c0801055b7188fdaa1818b940590f5f1 (patch) | |
tree | 71728d4d1b1a526c7cdb5f6f8f635c7a014acab5 | |
parent | 51becfbd234d9152726446af0e3718644fcf00df (diff) |
Ssl: Copy the on-demand cert loading bool from default config
Otherwise individual sockets will still load system certificates when
a chain doesn't match against the configured CA certificates.
That's not intended behavior, since specifically setting the CA
certificates means you don't want the system certificates to be used.
Follow-up to/amends ada2c573c1a25f8d96577734968fe317ddfa292a
This is potentially a breaking change because now, if you ever add a
CA to the default config, it will disable loading system certificates
on demand for all sockets. And the only way to re-enable it is to
create a null-QSslConfiguration and set it as the new default.
Pick-to: 6.5 6.2 5.15
Change-Id: Ic3b2ab125c0cdd58ad654af1cb36173960ce2d1e
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
-rw-r--r-- | src/network/ssl/qsslsocket.cpp | 5 | ||||
-rw-r--r-- | tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp | 24 |
2 files changed, 26 insertions, 3 deletions
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp index 4eefe43929..0563fd0663 100644 --- a/src/network/ssl/qsslsocket.cpp +++ b/src/network/ssl/qsslsocket.cpp @@ -1973,6 +1973,10 @@ QSslSocketPrivate::QSslSocketPrivate() , flushTriggered(false) { QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration); + // If the global configuration doesn't allow root certificates to be loaded + // on demand then we have to disable it for this socket as well. + if (!configuration.allowRootCertOnDemandLoading) + allowRootCertOnDemandLoading = false; const auto *tlsBackend = tlsBackendInUse(); if (!tlsBackend) { @@ -2281,6 +2285,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri ptr->sessionProtocol = global->sessionProtocol; ptr->ciphers = global->ciphers; ptr->caCertificates = global->caCertificates; + ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading; ptr->protocol = global->protocol; ptr->peerVerifyMode = global->peerVerifyMode; ptr->peerVerifyDepth = global->peerVerifyDepth; diff --git a/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp b/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp index 2307cbb191..4d4aaca7e3 100644 --- a/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp +++ b/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp @@ -16,6 +16,9 @@ // but the other side presents a certificate signed by a different CA. constexpr bool TestServerPresentsIncorrectCa = false; constexpr bool TestClientPresentsIncorrectCa = true; +// Decides whether or not to put the root CA into the global ssl configuration +// or into the socket's specific ssl configuration. +constexpr bool UseGlobalConfiguration = true; class ServerThread : public QThread { @@ -26,8 +29,10 @@ public: QSslServer server; QSslConfiguration config = server.sslConfiguration(); - QList<QSslCertificate> certs = QSslCertificate::fromPath(QStringLiteral(":/rootCA.pem")); - config.setCaCertificates(certs); + if (!UseGlobalConfiguration) { + QList<QSslCertificate> certs = QSslCertificate::fromPath(QStringLiteral(":/rootCA.pem")); + config.setCaCertificates(certs); + } config.setLocalCertificate(QSslCertificate::fromPath(QStringLiteral(":/127.0.0.1.pem")) .first()); QFile keyFile(QStringLiteral(":/127.0.0.1-key.pem")); @@ -73,6 +78,12 @@ int main(int argc, char **argv) if (!QFileInfo(u":/rootCA.pem"_s).exists()) qFatal("rootCA.pem not found. Did you run generate.sh in the certs directory?"); + if (UseGlobalConfiguration) { + QSslConfiguration config = QSslConfiguration::defaultConfiguration(); + config.setCaCertificates(QSslCertificate::fromPath(u":/rootCA.pem"_s)); + QSslConfiguration::setDefaultConfiguration(config); + } + ServerThread serverThread; serverThread.start(); @@ -88,12 +99,19 @@ int main(int argc, char **argv) keyFileName = u":/accepted-client-key.pem"_s; } config.setLocalCertificate(QSslCertificate::fromPath(certificatePath).first()); - if (TestServerPresentsIncorrectCa) // true: Verify server using incorrect CA: should fail + if (!UseGlobalConfiguration && TestServerPresentsIncorrectCa) { + // Verify server using incorrect CA: should fail config.setCaCertificates(QSslCertificate::fromPath(u":/rootCA.pem"_s)); + } else if (UseGlobalConfiguration && !TestServerPresentsIncorrectCa) { + // Verify server using correct CA, we need to explicitly set the + // system CAs when the global config is overridden. + config.setCaCertificates(QSslConfiguration::systemCaCertificates()); + } QFile keyFile(keyFileName); if (!keyFile.open(QIODevice::ReadOnly)) qFatal("Failed to open key file"); config.setPrivateKey(QSslKey(&keyFile, QSsl::Rsa)); + socket.setSslConfiguration(config); QObject::connect(&socket, &QSslSocket::encrypted, []() { qDebug() << "[c] encrypted"; }); |