diff options
| author | Lars Knoll <lars.knoll@qt.io> | 2017-12-29 15:56:33 +0100 |
|---|---|---|
| committer | Lars Knoll <lars.knoll@qt.io> | 2017-12-30 12:09:53 +0100 |
| commit | db92f2f3aac60218756a1aa8811cf192acc0b0e6 (patch) | |
| tree | f28a47aebb2f08e221fe7bffafce62a0a96cf7fd /src/network/ssl/qsslsocket_mac.cpp | |
| parent | dd61a1d98ea9fbffeaf0e2adcd0ddd58105f6a75 (diff) | |
| parent | 44da5b863597e761df3545dc7ff02a9b53bbb13d (diff) | |
Merge remote-tracking branch 'origin/5.9' into 5.10
Conflicts:
.qmake.conf
mkspecs/win32-g++/qmake.conf
src/corelib/global/qglobal_p.h
src/corelib/global/qoperatingsystemversion_p.h
src/corelib/io/qfilesystemengine_win.cpp
src/network/bearer/qbearerengine.cpp
src/platformsupport/input/libinput/qlibinputpointer.cpp
src/sql/doc/snippets/code/doc_src_sql-driver.cpp
src/widgets/kernel/qwidget_p.h
src/widgets/kernel/qwidgetwindow.cpp
src/widgets/styles/qfusionstyle.cpp
tests/auto/corelib/io/qfileinfo/tst_qfileinfo.cpp
Change-Id: I80e2722f481b12fff5d967c28f89208c0e9a1dd8
Diffstat (limited to 'src/network/ssl/qsslsocket_mac.cpp')
| -rw-r--r-- | src/network/ssl/qsslsocket_mac.cpp | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp index 8d2efe74be..5312464964 100644 --- a/src/network/ssl/qsslsocket_mac.cpp +++ b/src/network/ssl/qsslsocket_mac.cpp @@ -47,6 +47,7 @@ #include "qsslkey_p.h" #include <QtCore/qmessageauthenticationcode.h> +#include <QtCore/qoperatingsystemversion.h> #include <QtCore/qcryptographichash.h> #include <QtCore/qdatastream.h> #include <QtCore/qsysinfo.h> @@ -1245,13 +1246,17 @@ bool QSslSocketBackendPrivate::verifyPeerTrust() // actual system CA certificate list (which most use-cases need) other than // by letting SecTrustEvaluate fall through to the system list; so, in this case // (even though the client code may have provided its own certs), we retain - // the default behavior. + // the default behavior. Note, with macOS SDK below 10.12 using 'trust my + // anchors only' may result in some valid chains rejected, apparently the + // ones containing intermediated certificates; so we use this functionality + // on more recent versions only. + + bool anchorsFromConfigurationOnly = false; #ifdef Q_OS_MACOS - const bool anchorsFromConfigurationOnly = true; -#else - const bool anchorsFromConfigurationOnly = false; -#endif + if (QOperatingSystemVersion::current() >= QOperatingSystemVersion::MacOSSierra) + anchorsFromConfigurationOnly = true; +#endif // Q_OS_MACOS SecTrustSetAnchorCertificatesOnly(trust, anchorsFromConfigurationOnly); |