diff options
author | Frederik Gladhorn <frederik.gladhorn@digia.com> | 2014-05-12 13:59:19 +0200 |
---|---|---|
committer | Frederik Gladhorn <frederik.gladhorn@digia.com> | 2014-05-12 14:01:46 +0200 |
commit | 73bc91c9dfc66b5cd1a89c75b414c0573bc35c2a (patch) | |
tree | 6bda1e09322e0ff4638783cff8c6bcfb35a173ce /src/network/ssl/qsslsocket_openssl.cpp | |
parent | 793b7e80083d77b0804a40b5732a8888c9ce5cd8 (diff) | |
parent | 9bde391da4a36a612d38fb0041f5ab2e262741b1 (diff) |
Merge remote-tracking branch 'origin/release' into stable
Change-Id: I9300572e2b74f0564b2589cbd0fbdf24850f68df
Diffstat (limited to 'src/network/ssl/qsslsocket_openssl.cpp')
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index f9f7d0b35d..2ee69d35da 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1600,23 +1600,23 @@ QList<QSslError> QSslSocketBackendPrivate::verify(QList<QSslCertificate> certifi setDefaultCaCertificates(defaultCaCertificates() + systemCaCertificates()); } - QList<QSslCertificate> expiredCerts; - foreach (const QSslCertificate &caCertificate, QSslSocket::defaultCaCertificates()) { - // add expired certs later, so that the - // valid ones are used before the expired ones - if (caCertificate.expiryDate() < QDateTime::currentDateTime()) { - expiredCerts.append(caCertificate); - } else { + // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: + // + // If several CA certificates matching the name, key identifier, and + // serial number condition are available, only the first one will be + // examined. This may lead to unexpected results if the same CA + // certificate is available with different expiration dates. If a + // ``certificate expired'' verification error occurs, no other + // certificate will be searched. Make sure to not have expired + // certificates mixed with valid ones. + // + // See also: QSslContext::fromConfiguration() + if (caCertificate.expiryDate() >= QDateTime::currentDateTime()) { q_X509_STORE_add_cert(certStore, reinterpret_cast<X509 *>(caCertificate.handle())); } } - // now add the expired certs - foreach (const QSslCertificate &caCertificate, expiredCerts) { - q_X509_STORE_add_cert(certStore, reinterpret_cast<X509 *>(caCertificate.handle())); - } - QMutexLocker sslErrorListMutexLocker(&_q_sslErrorList()->mutex); // Register a custom callback to get all verification errors. |