diff options
| author | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2017-04-24 16:33:08 +0200 |
|---|---|---|
| committer | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2017-04-26 12:42:40 +0000 |
| commit | 2d2dd857669baf51fadad9608e6d6a0c08bbb373 (patch) | |
| tree | 89dde636bab2909a430f61013253938a80572e13 /src/network | |
| parent | e5a1c7fff7b17a149ad5bea9f7e3694382e7674b (diff) | |
QSslSocket (SecureTransport) - use anchors only from QSslConfiguration
Calling SecTrustSetAnchorCertificatesOnly(trust, false) we actually extend
what our user provided in QSslConfiguration as CA certificates (caCertificates,
setCaCertificates) - Secure Transport will also use a default set provided
by the system and SSL handshake can surprisingly (for a user) succeed.
And the default content of these caCertificates, if not altered by setCaCertificates
call - are those system CA certificates.
Task-number: QTBUG-60233
Change-Id: I8c1094bb7eec260f5202a47085f9f75e720eda7b
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Diffstat (limited to 'src/network')
| -rw-r--r-- | src/network/ssl/qsslsocket_mac.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp index a2dee75895..fec5fbefc0 100644 --- a/src/network/ssl/qsslsocket_mac.cpp +++ b/src/network/ssl/qsslsocket_mac.cpp @@ -1223,7 +1223,8 @@ bool QSslSocketBackendPrivate::verifyPeerTrust() CFArrayAppendValue(certArray, certRef); } SecTrustSetAnchorCertificates(trust, certArray); - SecTrustSetAnchorCertificatesOnly(trust, false); + // Secure Transport should use anchors only from our QSslConfiguration: + SecTrustSetAnchorCertificatesOnly(trust, true); SecTrustResultType trustResult = kSecTrustResultInvalid; SecTrustEvaluate(trust, &trustResult); |