diff options
author | Peter Hartmann <peter.hartmann@nokia.com> | 2011-09-05 12:53:49 +0200 |
---|---|---|
committer | Qt by Nokia <qt-info@nokia.com> | 2011-09-07 10:17:11 +0200 |
commit | a6e0e7909bc6eaaf2d1fd1dc17cab85d90dcdc61 (patch) | |
tree | c571a57c87bc6a53ed7a08fc8b71870b72c6333e /src/network/ssl/qsslsocket_openssl.cpp | |
parent | 0bcb2262d079f88e2c9e38eefaab36ba9aa0d7d3 (diff) |
QSslCertificate: block all DigiNotar (intermediate and root) certs
and do not only check leaf certificates, but all intermediates and
the root. Tested manually with the cross-signed intermediates.
Change-Id: I860dc9b568bc244abc9228486dbb374a1a2b47c4
Reviewed-by: Richard J. Moore <rich@kde.org>
(cherry picked from commit 64adbd0c5775f97343afbe0e7b5fde0d70bdaedd)
Reviewed-on: http://codereview.qt.nokia.com/4291
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Diffstat (limited to 'src/network/ssl/qsslsocket_openssl.cpp')
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 0ff17910f3..14a3899bfd 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1270,12 +1270,15 @@ bool QSslSocketBackendPrivate::startHandshake() // Start translating errors. QList<QSslError> errors; - if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) { - QSslError error(QSslError::CertificateBlacklisted, configuration.peerCertificate); - errors << error; - emit q->peerVerifyError(error); - if (q->state() != QAbstractSocket::ConnectedState) - return false; + // check the whole chain for blacklisting (including root, as we check for subjectInfo and issuer) + foreach (const QSslCertificate &cert, configuration.peerCertificateChain) { + if (QSslCertificatePrivate::isBlacklisted(cert)) { + QSslError error(QSslError::CertificateBlacklisted, cert); + errors << error; + emit q->peerVerifyError(error); + if (q->state() != QAbstractSocket::ConnectedState) + return false; + } } bool doVerifyPeer = configuration.peerVerifyMode == QSslSocket::VerifyPeer |