diff options
author | André Klitzing <aklitzing@gmail.com> | 2020-07-17 15:47:33 +0200 |
---|---|---|
committer | André Klitzing <aklitzing@gmail.com> | 2020-07-17 16:28:52 +0200 |
commit | 4581cd5fb664676cadda855490b3f21c2ed28a58 (patch) | |
tree | 47d2889420ab257bbb8c72336ccef6f36b275db2 /src/network/ssl/qsslsocket_openssl.cpp | |
parent | 0e240204b59c33987cb0c8c1ed64ac60e21c18b4 (diff) |
Fix OCSP-Stapling error if identity cannot be verified
If QSslConfiguration::setCaCertificates is set to empty list openssl
cannot verify the OCSP-Response.
Qt will provide it as QSslError::OcspResponseCannotBeTrusted that can be
ignored. But the openssl error is still in the error queue and prevents
a successful reply in QNetworkReply::finished.
So let's clear the queue after OCSP checking to avoid side affects.
Change-Id: I44a7f45a2eebd20ea86a235a0534f80986c40a26
Fixes: QTBUG-85638
Pick-to: 5.15
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Diffstat (limited to 'src/network/ssl/qsslsocket_openssl.cpp')
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 02ce1ed183..43fe94639f 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -84,6 +84,7 @@ #include <QtCore/qurl.h> #include <QtCore/qvarlengtharray.h> #include <QtCore/qscopedvaluerollback.h> +#include <QtCore/qscopeguard.h> #include <QtCore/qlibrary.h> #include <QtCore/qoperatingsystemversion.h> @@ -1802,6 +1803,10 @@ bool QSslSocketBackendPrivate::checkOcspStatus() Q_ASSERT(mode == QSslSocket::SslClientMode); // See initSslContext() for SslServerMode Q_ASSERT(configuration.peerVerifyMode != QSslSocket::VerifyNone); + const auto clearErrorQueue = qScopeGuard([] { + logAndClearErrorQueue(); + }); + ocspResponses.clear(); ocspErrorDescription.clear(); ocspErrors.clear(); |