Merge remote-tracking branch 'origin/stable' into dev

Conflicts:
	src/gui/kernel/qguiapplication.cpp

Change-Id: Ibe75603dc8a51769db6550ea3f07bc8d19b0be85

3 files changed, 27 insertions, 26 deletions

diff --git a/src/network/access/qspdyprotocolhandler.cpp b/src/network/access/qspdyprotocolhandler.cpp
index d204d498bf..ab703981ee 100644
--- a/src/network/access/qspdyprotocolhandler.cpp
+++ b/src/network/access/qspdyprotocolhandler.cpp
@@ -580,7 +580,7 @@ void QSpdyProtocolHandler::sendControlFrame(FrameType type,
 {
     // frame type and stream ID
     char header[8];
-    header[0] = 0x80; // leftmost bit == 1 -> is a control frame
+    header[0] = 0x80u; // leftmost bit == 1 -> is a control frame
     header[1] = 0x03; // 3 bit == version 3
     header[2] = 0;
     switch (type) {
@@ -653,10 +653,10 @@ void QSpdyProtocolHandler::sendSYN_STREAM(HttpMessagePair messagePair,
         prioAndSlot[0] = 0x00; // == prio 0 (highest)
         break;
     case QHttpNetworkRequest::NormalPriority:
-        prioAndSlot[0] = 0x80; // == prio 4
+        prioAndSlot[0] = 0x80u; // == prio 4
         break;
     case QHttpNetworkRequest::LowPriority:
-        prioAndSlot[0] = 0xe0; // == prio 7 (lowest)
+        prioAndSlot[0] = 0xe0u; // == prio 7 (lowest)
         break;
     }
     prioAndSlot[1] = 0x00; // slot in client certificates (not supported currently)
diff --git a/src/network/ssl/qsslcontext.cpp b/src/network/ssl/qsslcontext.cpp
index 9c68218062..f5e5352d5e 100644
--- a/src/network/ssl/qsslcontext.cpp
+++ b/src/network/ssl/qsslcontext.cpp
@@ -214,22 +214,23 @@ init_context:
     }
 
     // Add all our CAs to this store.
-    QList<QSslCertificate> expiredCerts;
     foreach (const QSslCertificate &caCertificate, sslContext->sslConfiguration.caCertificates()) {
-        // add expired certs later, so that the
-        // valid ones are used before the expired ones
-        if (caCertificate.expiryDate() < QDateTime::currentDateTime()) {
-            expiredCerts.append(caCertificate);
-        } else {
+        // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html:
+        //
+        // If several CA certificates matching the name, key identifier, and
+        // serial number condition are available, only the first one will be
+        // examined. This may lead to unexpected results if the same CA
+        // certificate is available with different expiration dates. If a
+        // ``certificate expired'' verification error occurs, no other
+        // certificate will be searched. Make sure to not have expired
+        // certificates mixed with valid ones.
+        //
+        // See also: QSslSocketBackendPrivate::verify()
+        if (caCertificate.expiryDate() >= QDateTime::currentDateTime()) {
             q_X509_STORE_add_cert(sslContext->ctx->cert_store, (X509 *)caCertificate.handle());
         }
     }
 
-    // now add the expired certs
-    foreach (const QSslCertificate &caCertificate, expiredCerts) {
-        q_X509_STORE_add_cert(sslContext->ctx->cert_store, reinterpret_cast<X509 *>(caCertificate.handle()));
-    }
-
     if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) {
         // tell OpenSSL the directories where to look up the root certs on demand
         QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories();
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index b0d1ed2c4f..173d8eaa89 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -1633,23 +1633,23 @@ QList<QSslError> QSslSocketBackendPrivate::verify(QList<QSslCertificate> certifi
         setDefaultCaCertificates(defaultCaCertificates() + systemCaCertificates());
     }
 
-    QList<QSslCertificate> expiredCerts;
-
     foreach (const QSslCertificate &caCertificate, QSslSocket::defaultCaCertificates()) {
-        // add expired certs later, so that the
-        // valid ones are used before the expired ones
-        if (caCertificate.expiryDate() < QDateTime::currentDateTime()) {
-            expiredCerts.append(caCertificate);
-        } else {
+        // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html:
+        //
+        // If several CA certificates matching the name, key identifier, and
+        // serial number condition are available, only the first one will be
+        // examined. This may lead to unexpected results if the same CA
+        // certificate is available with different expiration dates. If a
+        // ``certificate expired'' verification error occurs, no other
+        // certificate will be searched. Make sure to not have expired
+        // certificates mixed with valid ones.
+        //
+        // See also: QSslContext::fromConfiguration()
+        if (caCertificate.expiryDate() >= QDateTime::currentDateTime()) {
             q_X509_STORE_add_cert(certStore, reinterpret_cast<X509 *>(caCertificate.handle()));
         }
     }
 
-    // now add the expired certs
-    foreach (const QSslCertificate &caCertificate, expiredCerts) {
-        q_X509_STORE_add_cert(certStore, reinterpret_cast<X509 *>(caCertificate.handle()));
-    }
-
     QMutexLocker sslErrorListMutexLocker(&_q_sslErrorList()->mutex);
 
     // Register a custom callback to get all verification errors.