1 files changed, 28 insertions, 6 deletions

diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 4eefe43929..395394d432 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -97,8 +97,7 @@
 
     \list
     \li The socket's cryptographic cipher suite can be customized before
-    the handshake phase with QSslConfiguration::setCiphers()
-    and QSslConfiguration::setDefaultCiphers().
+    the handshake phase with QSslConfiguration::setCiphers().
     \li The socket's local certificate and private key can be customized
     before the handshake phase with setLocalCertificate() and
     setPrivateKey().
@@ -365,6 +364,12 @@ QT_BEGIN_NAMESPACE
 
 using namespace Qt::StringLiterals;
 
+#ifdef Q_OS_VXWORKS
+constexpr auto isVxworks = true;
+#else
+constexpr auto isVxworks = false;
+#endif
+
 class QSslSocketGlobalData
 {
 public:
@@ -1539,7 +1544,12 @@ QList<QString> QSslSocket::availableBackends()
     from the list of available backends.
 
     \note When selecting a default backend implicitly, QSslSocket prefers
-    the OpenSSL backend if available.
+    the OpenSSL backend if available. If it's not available, the Schannel backend
+    is implicitly selected on Windows, and Secure Transport on Darwin platforms.
+    Failing these, if a custom TLS backend is found, it is used.
+    If no other backend is found, the "certificate only" backend is selected.
+    For more information about TLS plugins, please see
+    \l {Enabling and Disabling SSL Support when Building Qt from Source}.
 
     \sa setActiveBackend(), availableBackends()
 */
@@ -1973,6 +1983,10 @@ QSslSocketPrivate::QSslSocketPrivate()
     , flushTriggered(false)
 {
     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
+    // If the global configuration doesn't allow root certificates to be loaded
+    // on demand then we have to disable it for this socket as well.
+    if (!configuration.allowRootCertOnDemandLoading)
+        allowRootCertOnDemandLoading = false;
 
     const auto *tlsBackend = tlsBackendInUse();
     if (!tlsBackend) {
@@ -2281,6 +2295,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
     ptr->sessionProtocol = global->sessionProtocol;
     ptr->ciphers = global->ciphers;
     ptr->caCertificates = global->caCertificates;
+    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
     ptr->protocol = global->protocol;
     ptr->peerVerifyMode = global->peerVerifyMode;
     ptr->peerVerifyDepth = global->peerVerifyDepth;
@@ -2955,7 +2970,13 @@ QList<QByteArray> QSslSocketPrivate::unixRootCertDirectories()
         ba("/opt/openssl/certs/"), // HP-UX
         ba("/etc/ssl/"), // OpenBSD
     };
-    return QList<QByteArray>::fromReadOnlyData(dirs);
+    QList<QByteArray> result = QList<QByteArray>::fromReadOnlyData(dirs);
+    if constexpr (isVxworks) {
+        static QByteArray vxworksCertsDir = qgetenv("VXWORKS_CERTS_DIR");
+        if (!vxworksCertsDir.isEmpty())
+            result.push_back(vxworksCertsDir);
+    }
+    return result;
 }
 
 /*!
@@ -3086,10 +3107,11 @@ QTlsBackend *QSslSocketPrivate::tlsBackendInUse()
 
     tlsBackend = QTlsBackend::findBackend(activeBackendName);
     if (tlsBackend) {
-        QObject::connect(tlsBackend, &QObject::destroyed, [] {
+        QObject::connect(tlsBackend, &QObject::destroyed, tlsBackend, [] {
             const QMutexLocker locker(&backendMutex);
             tlsBackend = nullptr;
-        });
+        },
+        Qt::DirectConnection);
     }
     return tlsBackend;
 }