1 files changed, 32 insertions, 10 deletions

diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index cd76517c25..395394d432 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -97,8 +97,7 @@
 
     \list
     \li The socket's cryptographic cipher suite can be customized before
-    the handshake phase with QSslConfiguration::setCiphers()
-    and QSslConfiguration::setDefaultCiphers().
+    the handshake phase with QSslConfiguration::setCiphers().
     \li The socket's local certificate and private key can be customized
     before the handshake phase with setLocalCertificate() and
     setPrivateKey().
@@ -365,6 +364,12 @@ QT_BEGIN_NAMESPACE
 
 using namespace Qt::StringLiterals;
 
+#ifdef Q_OS_VXWORKS
+constexpr auto isVxworks = true;
+#else
+constexpr auto isVxworks = false;
+#endif
+
 class QSslSocketGlobalData
 {
 public:
@@ -1539,7 +1544,12 @@ QList<QString> QSslSocket::availableBackends()
     from the list of available backends.
 
     \note When selecting a default backend implicitly, QSslSocket prefers
-    the OpenSSL backend if available.
+    the OpenSSL backend if available. If it's not available, the Schannel backend
+    is implicitly selected on Windows, and Secure Transport on Darwin platforms.
+    Failing these, if a custom TLS backend is found, it is used.
+    If no other backend is found, the "certificate only" backend is selected.
+    For more information about TLS plugins, please see
+    \l {Enabling and Disabling SSL Support when Building Qt from Source}.
 
     \sa setActiveBackend(), availableBackends()
 */
@@ -1973,6 +1983,10 @@ QSslSocketPrivate::QSslSocketPrivate()
     , flushTriggered(false)
 {
     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
+    // If the global configuration doesn't allow root certificates to be loaded
+    // on demand then we have to disable it for this socket as well.
+    if (!configuration.allowRootCertOnDemandLoading)
+        allowRootCertOnDemandLoading = false;
 
     const auto *tlsBackend = tlsBackendInUse();
     if (!tlsBackend) {
@@ -2281,6 +2295,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
     ptr->sessionProtocol = global->sessionProtocol;
     ptr->ciphers = global->ciphers;
     ptr->caCertificates = global->caCertificates;
+    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
     ptr->protocol = global->protocol;
     ptr->peerVerifyMode = global->peerVerifyMode;
     ptr->peerVerifyDepth = global->peerVerifyDepth;
@@ -2661,7 +2676,7 @@ bool QSslSocketPrivate::verifyErrorsHaveBeenIgnored()
         // was called)
         const auto &sslErrors = backend->tlsErrors();
         doEmitSslError = false;
-        for (int a = 0; a < sslErrors.count(); a++) {
+        for (int a = 0; a < sslErrors.size(); a++) {
             if (!ignoreErrorsList.contains(sslErrors.at(a))) {
                 doEmitSslError = true;
                 break;
@@ -2799,11 +2814,11 @@ QByteArray QSslSocketPrivate::peek(qint64 maxSize)
         QByteArray ret;
         ret.reserve(maxSize);
         ret.resize(buffer.peek(ret.data(), maxSize, transactionPos));
-        if (ret.length() == maxSize)
+        if (ret.size() == maxSize)
             return ret;
         //peek at data in the plain socket
         if (plainSocket)
-            return ret + plainSocket->peek(maxSize - ret.length());
+            return ret + plainSocket->peek(maxSize - ret.size());
 
         return QByteArray();
     } else {
@@ -2955,7 +2970,13 @@ QList<QByteArray> QSslSocketPrivate::unixRootCertDirectories()
         ba("/opt/openssl/certs/"), // HP-UX
         ba("/etc/ssl/"), // OpenBSD
     };
-    return QList<QByteArray>::fromReadOnlyData(dirs);
+    QList<QByteArray> result = QList<QByteArray>::fromReadOnlyData(dirs);
+    if constexpr (isVxworks) {
+        static QByteArray vxworksCertsDir = qgetenv("VXWORKS_CERTS_DIR");
+        if (!vxworksCertsDir.isEmpty())
+            result.push_back(vxworksCertsDir);
+    }
+    return result;
 }
 
 /*!
@@ -3031,7 +3052,7 @@ bool QSslSocketPrivate::isMatchingHostname(const QString &cn, const QString &hos
     qsizetype secondCnDot = cn.indexOf(u'.', firstCnDot+1);
 
     // Check at least 3 components
-    if ((-1 == secondCnDot) || (secondCnDot+1 >= cn.length()))
+    if ((-1 == secondCnDot) || (secondCnDot+1 >= cn.size()))
         return false;
 
     // Check * is last character of 1st component (ie. there's a following .)
@@ -3086,10 +3107,11 @@ QTlsBackend *QSslSocketPrivate::tlsBackendInUse()
 
     tlsBackend = QTlsBackend::findBackend(activeBackendName);
     if (tlsBackend) {
-        QObject::connect(tlsBackend, &QObject::destroyed, [] {
+        QObject::connect(tlsBackend, &QObject::destroyed, tlsBackend, [] {
             const QMutexLocker locker(&backendMutex);
             tlsBackend = nullptr;
-        });
+        },
+        Qt::DirectConnection);
     }
     return tlsBackend;
 }