diff options
| author | Friedemann Kleint <Friedemann.Kleint@digia.com> | 2014-05-14 18:43:38 +0200 |
|---|---|---|
| committer | The Qt Project <gerrit-noreply@qt-project.org> | 2014-05-14 18:43:38 +0200 |
| commit | 70cd276db01de8a9ccabb60282f00068b3840b88 (patch) | |
| tree | ffeae752c77d0e0074b59fe5c3c682d2842e459e /src/network/ssl/qsslcontext.cpp | |
| parent | 800214f0b9cbbbc7b77a12180ce59033dd3cca64 (diff) | |
| parent | 3d4aeb791990f359e277efbfb0a1f1793945b55d (diff) | |
Merge "Merge remote-tracking branch 'origin/stable' into dev" into refs/staging/dev
Diffstat (limited to 'src/network/ssl/qsslcontext.cpp')
| -rw-r--r-- | src/network/ssl/qsslcontext.cpp | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/src/network/ssl/qsslcontext.cpp b/src/network/ssl/qsslcontext.cpp index 9c68218062..f5e5352d5e 100644 --- a/src/network/ssl/qsslcontext.cpp +++ b/src/network/ssl/qsslcontext.cpp @@ -214,22 +214,23 @@ init_context: } // Add all our CAs to this store. - QList<QSslCertificate> expiredCerts; foreach (const QSslCertificate &caCertificate, sslContext->sslConfiguration.caCertificates()) { - // add expired certs later, so that the - // valid ones are used before the expired ones - if (caCertificate.expiryDate() < QDateTime::currentDateTime()) { - expiredCerts.append(caCertificate); - } else { + // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: + // + // If several CA certificates matching the name, key identifier, and + // serial number condition are available, only the first one will be + // examined. This may lead to unexpected results if the same CA + // certificate is available with different expiration dates. If a + // ``certificate expired'' verification error occurs, no other + // certificate will be searched. Make sure to not have expired + // certificates mixed with valid ones. + // + // See also: QSslSocketBackendPrivate::verify() + if (caCertificate.expiryDate() >= QDateTime::currentDateTime()) { q_X509_STORE_add_cert(sslContext->ctx->cert_store, (X509 *)caCertificate.handle()); } } - // now add the expired certs - foreach (const QSslCertificate &caCertificate, expiredCerts) { - q_X509_STORE_add_cert(sslContext->ctx->cert_store, reinterpret_cast<X509 *>(caCertificate.handle())); - } - if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) { // tell OpenSSL the directories where to look up the root certs on demand QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories(); |