QSslSocket::verify: do not alter the default configuration

QSslCertificate::verify() has an undocumented and not very desirable property -
on some platorms it updates the default configuration, which can be surprising.
For example, we deprecated QSslSocket::setDefaultCaCertificates() and recommend
using QSslConfiguration::defaultConfiguration(), QSslConfiguration::setDefaultConfiguration(),
and QSslConfiguration::setCaCertificates(). If an application does this to select
CA roots it trusts explicitly, and then for some reason is calling verify, the
application can have its QSslSockets successfully connecting to a host, whose
root was not trusted by the application. Also, on Windows, defaultCaCertificates()
include system roots already, no need to have them twice.

[ChangeLog][QtCore][QtNetwork] QSslSocket::verify - do not change the default configuration

Pick-to: 5.15
Pick-to: 6.0
Pick-to: 6.0.0
Fixes: QTBUG-88639
Change-Id: I1cd40b259d0a6dcd15c78d1e7c027ff10859595c
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>

2 files changed, 12 insertions, 6 deletions

diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
index 5dd3f49524..c63ef5d205 100644
--- a/src/network/ssl/qsslcertificate.cpp
+++ b/src/network/ssl/qsslcertificate.cpp
@@ -591,9 +591,9 @@ QList<QSslCertificate> QSslCertificate::fromData(const QByteArray &data, QSsl::E
     the specified host name.
 
     Note that the root (CA) certificate should not be included in the list to be verified,
-    this will be looked up automatically either using the CA list specified by
-    QSslSocket::defaultCaCertificates() or, if possible, it will be loaded on demand
-    on Unix.
+    this will be looked up automatically using the CA list specified in the
+    default QSslConfiguration, and, in addition, if possible, CA certificates loaded on
+    demand on Unix and Windows.
 
     \since 5.0
  */
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 39d011d684..7a237ee7db 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -2319,10 +2319,16 @@ QList<QSslCertificate> QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates
 QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> &certificateChain,
                                                   const QString &hostName)
 {
+    auto roots = QSslConfiguration::defaultConfiguration().caCertificates();
+#ifndef Q_OS_WIN
+    // On Windows, system CA certificates are already set as default ones.
+    // No need to add them again (and again) and also, if the default configuration
+    // has its own set of CAs, this probably should not be amended by the ones
+    // from the 'ROOT' store, since it's not what an application chose to trust.
     if (s_loadRootCertsOnDemand)
-        setDefaultCaCertificates(defaultCaCertificates() + systemCaCertificates());
-
-    return verify(QSslConfiguration::defaultConfiguration().caCertificates(), certificateChain, hostName);
+        roots.append(systemCaCertificates());
+#endif // Q_OS_WIN
+    return verify(roots, certificateChain, hostName);
 }
 
 QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> &caCertificates,