diff options
| author | Shane Kearns <ext-shane.2.kearns@nokia.com> | 2012-04-27 20:05:05 +0100 |
|---|---|---|
| committer | Qt by Nokia <qt-info@nokia.com> | 2012-05-04 03:10:39 +0200 |
| commit | 42d4639fd95b098ff087afa9fc325adf906e2f55 (patch) | |
| tree | 58285d6359175d1bd1251226ea42d1be44064296 /src | |
| parent | f503e906d6849fc7a2fef57a52b44194030bc5ed (diff) | |
Fix windows cert fetcher if site presents full chain
If a website presents the complete certificate chain in the handshake
i.e. site -> intermediate CA -> root CA then openssl gives
a different error (SelfSignedCertificateInChain)
Because of this windows feature, that either means the site is
signed by an untrusted CA, or the CA trust status is unknown because
we don't have the root cert in the cert store.
In any case, calling the windows verification function results
in a trusted chain & the root being added to the cert store.
Task-number: QTBUG-24827
Change-Id: I2663ea2f86cd0b4dfde105d858ec1b39a340c1f6
Reviewed-by: Richard J. Moore <rich@kde.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 59f6f53fef..eddedac486 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1252,7 +1252,8 @@ bool QSslSocketBackendPrivate::startHandshake() bool fetchCertificate = true; for (int i=0; i< sslErrors.count(); i++) { switch (sslErrors.at(i).error()) { - case QSslError::UnableToGetLocalIssuerCertificate: + case QSslError::UnableToGetLocalIssuerCertificate: // site presented intermediate cert, but root is unknown + case QSslError::SelfSignedCertificateInChain: // site presented a complete chain, but root is unknown certToFetch = sslErrors.at(i).certificate(); break; case QSslError::SelfSignedCertificate: @@ -1344,6 +1345,7 @@ void QSslSocketBackendPrivate::_q_caRootLoaded(QSslCertificate cert, QSslCertifi case QSslError::UnableToGetLocalIssuerCertificate: case QSslError::CertificateUntrusted: case QSslError::UnableToVerifyFirstCertificate: + case QSslError::SelfSignedCertificateInChain: // error can be ignored if OS says the chain is trusted sslErrors.removeAt(i); break; |