diff options
| author | Shane Kearns <shane.kearns@accenture.com> | 2012-01-06 16:29:43 +0000 |
|---|---|---|
| committer | Qt by Nokia <qt-info@nokia.com> | 2012-01-06 19:24:23 +0100 |
| commit | ca5072fb185a75e2c9ef25fd19a56cbe41128b0a (patch) | |
| tree | 3daf03233746895266c77a48dab4bdbb7623180c | |
| parent | c87bf2e8e63bed112456e8c5a501728fd093a4e6 (diff) | |
Fix renewed SSL certificates being incorrectly reported as expired
OpenSSL tries certificates in the order they are added to the store.
There was logic to add the expired certificates after the valid ones
to ensure the valid certificate is checked first if the OS cert store
contains both the expired and renewed version of the same cert (e.g.
the verisign class 3 cert on windows)
However due to a coding error, the ordering was reversed, ensuring the
problem is always encountered instead of always avoided.
Task-number: QTBUG-20012
Change-Id: I7c8dba8a09842540a22b44d33c7dcb22bbbc6a58
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
| -rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index f22d0bd2e5..ab40f15cde 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -343,7 +343,7 @@ init_context: foreach (const QSslCertificate &caCertificate, q->caCertificates()) { // add expired certs later, so that the // valid ones are used before the expired ones - if (caCertificate.expiryDate() > QDateTime::currentDateTime()) { + if (caCertificate.expiryDate() < QDateTime::currentDateTime()) { expiredCerts.append(caCertificate); } else { q_X509_STORE_add_cert(ctx->cert_store, reinterpret_cast<X509 *>(caCertificate.handle())); @@ -1354,7 +1354,7 @@ QList<QSslError> QSslSocketBackendPrivate::verify(QList<QSslCertificate> certifi foreach (const QSslCertificate &caCertificate, QSslSocket::defaultCaCertificates()) { // add expired certs later, so that the // valid ones are used before the expired ones - if (caCertificate.expiryDate() > QDateTime::currentDateTime()) { + if (caCertificate.expiryDate() < QDateTime::currentDateTime()) { expiredCerts.append(caCertificate); } else { q_X509_STORE_add_cert(certStore, reinterpret_cast<X509 *>(caCertificate.handle())); |