diff options
| author | Mårten Nordheim <marten.nordheim@qt.io> | 2022-07-26 11:18:04 +0200 |
|---|---|---|
| committer | Mårten Nordheim <marten.nordheim@qt.io> | 2023-02-15 13:08:31 +0200 |
| commit | 2294e68559d6a6e89d7a607afa6a2a6a35cbb501 (patch) | |
| tree | 6dd5c60f6c778fcc6a965959a4d7ebe73fafdf6e /src/plugins/tls | |
| parent | 402a526b2a87cbf6b7466bacb9dd3d8b7c71d9b2 (diff) | |
Schannel: Enable users to let schannel pick a certificate
Schannel is by default able to pick out and transmit a certificate
it can find in the user's certificate store. The reason why we
disabled it by default is because some applications create and store
certificates in the store that is searched, so it may grab unexpected
certificates. However, in some environments this is not an issue, so
let these users re-enable this feature.
Fixes: QTBUG-89556
Change-Id: Iffa8550ee64c70bb0955041072ed5a49f600f6a1
Reviewed-by: Joni Poikelin <joni.poikelin@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Diffstat (limited to 'src/plugins/tls')
| -rw-r--r-- | src/plugins/tls/schannel/qtls_schannel.cpp | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/plugins/tls/schannel/qtls_schannel.cpp b/src/plugins/tls/schannel/qtls_schannel.cpp index 04b44417a8..b230f2f787 100644 --- a/src/plugins/tls/schannel/qtls_schannel.cpp +++ b/src/plugins/tls/schannel/qtls_schannel.cpp @@ -679,6 +679,10 @@ qint64 checkIncompleteData(const SecBuffer &secBuffer) return 0; } +DWORD defaultCredsFlag() +{ + return qEnvironmentVariableIsSet("QT_SCH_DEFAULT_CREDS") ? 0 : SCH_CRED_NO_DEFAULT_CREDS; +} } // anonymous namespace @@ -854,8 +858,7 @@ bool TlsCryptographSchannel::acquireCredentialsHandle() 0, nullptr, 0, - SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT - | SCH_CRED_NO_DEFAULT_CREDS, + SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT | defaultCredsFlag(), 1, &tlsParameters }; @@ -879,8 +882,7 @@ bool TlsCryptographSchannel::acquireCredentialsHandle() 0, // dwMinimumCipherStrength (0 = system default) 0, // dwMaximumCipherStrength (0 = system default) 0, // dwSessionLifespan (0 = schannel default, 10 hours) - SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT - | SCH_CRED_NO_DEFAULT_CREDS, // dwFlags + SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT | defaultCredsFlag(), // dwFlags 0 // dwCredFormat (must be 0) }; credentials = cred; |