diff options
Diffstat (limited to 'src/network/ssl/qsslsocket_openssl.cpp')
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index bac837e62f..59f6f53fef 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1239,7 +1239,8 @@ bool QSslSocketBackendPrivate::startHandshake() #ifdef Q_OS_WIN //Skip this if not using system CAs, or if the SSL errors are configured in advance to be ignorable - if (s_loadRootCertsOnDemand + if (doVerifyPeer + && s_loadRootCertsOnDemand && allowRootCertOnDemandLoading && !verifyErrorsHaveBeenIgnored()) { //Windows desktop versions starting from vista ship with minimal set of roots @@ -1247,12 +1248,29 @@ bool QSslSocketBackendPrivate::startHandshake() //trusted by MS. //However, this is only transparent if using WinINET - we have to trigger it //ourselves. + QSslCertificate certToFetch; + bool fetchCertificate = true; for (int i=0; i< sslErrors.count(); i++) { - if (sslErrors.at(i).error() == QSslError::UnableToGetLocalIssuerCertificate) { - fetchCaRootForCert(sslErrors.at(i).certificate()); - return false; + switch (sslErrors.at(i).error()) { + case QSslError::UnableToGetLocalIssuerCertificate: + certToFetch = sslErrors.at(i).certificate(); + break; + case QSslError::SelfSignedCertificate: + case QSslError::CertificateBlacklisted: + //With these errors, we know it will be untrusted so save time by not asking windows + fetchCertificate = false; + break; + default: +#ifdef QSSLSOCKET_DEBUG + qDebug() << sslErrors.at(i).errorString(); +#endif + break; } } + if (fetchCertificate && !certToFetch.isNull()) { + fetchCaRootForCert(certToFetch); + return false; + } } #endif |