CA fetcher (Windows) - relax the logic a bit

In case a certificate chain is missing an intermediate, for a certificate having "Authority Information Access" extension it's possible to fetch this intermediate and build the chain up to the trusted root. Unfortunately, it's not always possible to install the root certificate in the system "ROOT" store and then an application wants to set it in the socket's configuration, using setCaCertificates(). But this call also disables CA fetcher ('no on demand root loading'). It makes sense to relax this logic for such certificates and try to fetch the intermediate CA and then have the complete chain verified. Pick-to: 5.15 Fixes: QTBUG-84173 Change-Id: I5b9b4271767eba6f5fd2b5cf05e942360c6aa245 Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io> Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
author: Timur Pocheptsov <timur.pocheptsov@qt.io> 2020-05-14 16:40:08 +0200
committer: Timur Pocheptsov <timur.pocheptsov@qt.io> 2020-05-29 16:58:43 +0200
commit: 73158a9cb0942c2cdb3c6a98bcfd5763eed65c85 (patch)
tree: 0ac4b5b9a110d0c0b76ea9d9a758b18a106ea43e /src/network/ssl/qsslsocket.cpp
parent: 2216f10ffdd7e6e836dd0b63f5130bcac2f071d7 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 667a2e7267..4b6d8c21d1 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -2326,6 +2326,7 @@ void QSslSocketPrivate::init()
     writeBuffer.clear();
     configuration.peerCertificate.clear();
     configuration.peerCertificateChain.clear();
+    fetchAuthorityInformation = false;
 }
 
 /*!
author	Timur Pocheptsov <timur.pocheptsov@qt.io>	2020-05-14 16:40:08 +0200
committer	Timur Pocheptsov <timur.pocheptsov@qt.io>	2020-05-29 16:58:43 +0200
commit	73158a9cb0942c2cdb3c6a98bcfd5763eed65c85 (patch)
tree	0ac4b5b9a110d0c0b76ea9d9a758b18a106ea43e /src/network/ssl/qsslsocket.cpp
parent	2216f10ffdd7e6e836dd0b63f5130bcac2f071d7 (diff)