diff options
Diffstat (limited to 'src/network/ssl')
| -rw-r--r-- | src/network/ssl/qsslconfiguration.cpp | 89 | ||||
| -rw-r--r-- | src/network/ssl/qsslconfiguration.h | 7 | ||||
| -rw-r--r-- | src/network/ssl/qsslcontext_openssl.cpp | 44 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket.cpp | 47 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket.h | 16 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_mac.cpp | 7 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_openssl11.cpp | 5 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_qt.cpp | 1 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_schannel.cpp | 24 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_schannel_p.h | 1 |
10 files changed, 181 insertions, 60 deletions
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp index 7e92d3a526..738c8d4ac5 100644 --- a/src/network/ssl/qsslconfiguration.cpp +++ b/src/network/ssl/qsslconfiguration.cpp @@ -54,7 +54,6 @@ const QSsl::SslOptions QSslConfigurationPrivate::defaultSslOptions = QSsl::SslOp |QSsl::SslOptionDisableSessionPersistence; const char QSslConfiguration::ALPNProtocolHTTP2[] = "h2"; -const char QSslConfiguration::NextProtocolSpdy3_0[] = "spdy/3"; const char QSslConfiguration::NextProtocolHttp1_1[] = "http/1.1"; /*! @@ -134,12 +133,6 @@ const char QSslConfiguration::NextProtocolHttp1_1[] = "http/1.1"; */ /*! - \variable QSslConfiguration::NextProtocolSpdy3_0 - \brief The value used for negotiating SPDY 3.0 during the Next - Protocol Negotiation. -*/ - -/*! \variable QSslConfiguration::NextProtocolHttp1_1 \brief The value used for negotiating HTTP 1.1 during the Next Protocol Negotiation. @@ -631,11 +624,10 @@ QList<QSslCipher> QSslConfiguration::supportedCiphers() Returns this connection's CA certificate database. The CA certificate database is used by the socket during the handshake phase to validate the peer's certificate. It can be modified prior to the - handshake with setCaCertificates(), or with \l{QSslSocket}'s - \l{QSslSocket::}{addCaCertificate()} and - \l{QSslSocket::}{addCaCertificates()}. + handshake with setCaCertificates(), or with addCaCertificate() and + addCaCertificates(). - \sa setCaCertificates() + \sa setCaCertificates(), addCaCertificate(), addCaCertificates() */ QList<QSslCertificate> QSslConfiguration::caCertificates() const { @@ -652,7 +644,7 @@ QList<QSslCertificate> QSslConfiguration::caCertificates() const that is not available (as is commonly the case on iOS), the default database is empty. - \sa caCertificates() + \sa caCertificates(), addCaCertificates(), addCaCertificate() */ void QSslConfiguration::setCaCertificates(const QList<QSslCertificate> &certificates) { @@ -661,6 +653,72 @@ void QSslConfiguration::setCaCertificates(const QList<QSslCertificate> &certific } /*! + Searches all files in the \a path for certificates encoded in the + specified \a format and adds them to this socket's CA certificate + database. \a path must be a file or a pattern matching one or more + files, as specified by \a syntax. Returns \c true if one or more + certificates are added to the socket's CA certificate database; + otherwise returns \c false. + + The CA certificate database is used by the socket during the + handshake phase to validate the peer's certificate. + + For more precise control, use addCaCertificate(). + + \sa addCaCertificate(), QSslCertificate::fromPath() +*/ +bool QSslConfiguration::addCaCertificates(const QString &path, QSsl::EncodingFormat format, + QRegExp::PatternSyntax syntax) +{ + QList<QSslCertificate> certs = QSslCertificate::fromPath(path, format, syntax); + if (certs.isEmpty()) + return false; + + d->caCertificates += certs; + return true; +} + +/*! + \since 5.15 + + Adds \a certificate to this configuration's CA certificate database. + The certificate database must be set prior to the SSL handshake. + The CA certificate database is used by the socket during the + handshake phase to validate the peer's certificate. + + \note The default configuration uses the system CA certificate database. If + that is not available (as is commonly the case on iOS), the default database + is empty. + + \sa caCertificates(), setCaCertificates(), addCaCertificates() +*/ +void QSslConfiguration::addCaCertificate(const QSslCertificate &certificate) +{ + d->caCertificates += certificate; + d->allowRootCertOnDemandLoading = false; +} + +/*! + \since 5.15 + + Adds \a certificates to this configuration's CA certificate database. + The certificate database must be set prior to the SSL handshake. + The CA certificate database is used by the socket during the + handshake phase to validate the peer's certificate. + + \note The default configuration uses the system CA certificate database. If + that is not available (as is commonly the case on iOS), the default database + is empty. + + \sa caCertificates(), setCaCertificates(), addCaCertificate() +*/ +void QSslConfiguration::addCaCertificates(const QList<QSslCertificate> &certificates) +{ + d->caCertificates += certificates; + d->allowRootCertOnDemandLoading = false; +} + +/*! \since 5.5 This function provides the CA certificate database @@ -668,7 +726,8 @@ void QSslConfiguration::setCaCertificates(const QList<QSslCertificate> &certific returned by this function is used to initialize the database returned by caCertificates() on the default QSslConfiguration. - \sa caCertificates(), setCaCertificates(), defaultConfiguration() + \sa caCertificates(), setCaCertificates(), defaultConfiguration(), + addCaCertificate(), addCaCertificates() */ QList<QSslCertificate> QSslConfiguration::systemCaCertificates() { @@ -967,7 +1026,7 @@ QByteArray QSslConfiguration::nextNegotiatedProtocol() const Whether or not the negotiation succeeded can be queried through nextProtocolNegotiationStatus(). - \sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), allowedNextProtocols(), QSslConfiguration::NextProtocolSpdy3_0, QSslConfiguration::NextProtocolHttp1_1 + \sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), allowedNextProtocols(), QSslConfiguration::NextProtocolHttp1_1 */ #if QT_VERSION >= QT_VERSION_CHECK(6,0,0) void QSslConfiguration::setAllowedNextProtocols(const QList<QByteArray> &protocols) @@ -985,7 +1044,7 @@ void QSslConfiguration::setAllowedNextProtocols(QList<QByteArray> protocols) server through the Next Protocol Negotiation (NPN) or Application-Layer Protocol Negotiation (ALPN) TLS extension, as set by setAllowedNextProtocols(). - \sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), setAllowedNextProtocols(), QSslConfiguration::NextProtocolSpdy3_0, QSslConfiguration::NextProtocolHttp1_1 + \sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), setAllowedNextProtocols(), QSslConfiguration::NextProtocolHttp1_1 */ QList<QByteArray> QSslConfiguration::allowedNextProtocols() const { diff --git a/src/network/ssl/qsslconfiguration.h b/src/network/ssl/qsslconfiguration.h index c25c2686de..ad6e23638f 100644 --- a/src/network/ssl/qsslconfiguration.h +++ b/src/network/ssl/qsslconfiguration.h @@ -66,7 +66,6 @@ QT_BEGIN_NAMESPACE -template<typename T> class QList; class QSslCertificate; class QSslCipher; class QSslKey; @@ -131,6 +130,11 @@ public: // Certificate Authority (CA) settings QList<QSslCertificate> caCertificates() const; void setCaCertificates(const QList<QSslCertificate> &certificates); + bool addCaCertificates(const QString &path, QSsl::EncodingFormat format = QSsl::Pem, + QRegExp::PatternSyntax syntax = QRegExp::FixedString); + void addCaCertificate(const QSslCertificate &certificate); + void addCaCertificates(const QList<QSslCertificate> &certificates); + static QList<QSslCertificate> systemCaCertificates(); void setSslOption(QSsl::SslOption option, bool on); @@ -188,7 +192,6 @@ public: NextProtocolNegotiationStatus nextProtocolNegotiationStatus() const; static const char ALPNProtocolHTTP2[]; - static const char NextProtocolSpdy3_0[]; static const char NextProtocolHttp1_1[]; private: diff --git a/src/network/ssl/qsslcontext_openssl.cpp b/src/network/ssl/qsslcontext_openssl.cpp index e81e5582f4..8566d78aef 100644 --- a/src/network/ssl/qsslcontext_openssl.cpp +++ b/src/network/ssl/qsslcontext_openssl.cpp @@ -157,32 +157,36 @@ SSL* QSslContext::createSsl() for (int a = 0; a < protocols.count(); ++a) { if (protocols.at(a).size() > 255) { qCWarning(lcSsl) << "TLS NPN extension" << protocols.at(a) - << "is too long and will be truncated to 255 characters."; - protocols[a] = protocols.at(a).left(255); + << "is too long and will be ignored."; + continue; + } else if (protocols.at(a).isEmpty()) { + continue; } m_supportedNPNVersions.append(protocols.at(a).size()).append(protocols.at(a)); } - m_npnContext.data = reinterpret_cast<unsigned char *>(m_supportedNPNVersions.data()); - m_npnContext.len = m_supportedNPNVersions.count(); - m_npnContext.status = QSslConfiguration::NextProtocolNegotiationNone; + if (m_supportedNPNVersions.size()) { + m_npnContext.data = reinterpret_cast<unsigned char *>(m_supportedNPNVersions.data()); + m_npnContext.len = m_supportedNPNVersions.count(); + m_npnContext.status = QSslConfiguration::NextProtocolNegotiationNone; #if OPENSSL_VERSION_NUMBER >= 0x10002000L - if (QSslSocket::sslLibraryVersionNumber() >= 0x10002000L) { - // Callback's type has a parameter 'const unsigned char ** out' - // since it was introduced in 1.0.2. Internally, OpenSSL's own code - // (tests/examples) cast it to unsigned char * (since it's 'out'). - // We just re-use our NPN callback and cast here: - typedef int (*alpn_callback_t) (SSL *, const unsigned char **, unsigned char *, - const unsigned char *, unsigned int, void *); - // With ALPN callback is for a server side only, for a client m_npnContext.status - // will stay in NextProtocolNegotiationNone. - q_SSL_CTX_set_alpn_select_cb(ctx, alpn_callback_t(next_proto_cb), &m_npnContext); - // Client: - q_SSL_set_alpn_protos(ssl, m_npnContext.data, m_npnContext.len); - } + if (QSslSocket::sslLibraryVersionNumber() >= 0x10002000L) { + // Callback's type has a parameter 'const unsigned char ** out' + // since it was introduced in 1.0.2. Internally, OpenSSL's own code + // (tests/examples) cast it to unsigned char * (since it's 'out'). + // We just re-use our NPN callback and cast here: + typedef int (*alpn_callback_t) (SSL *, const unsigned char **, unsigned char *, + const unsigned char *, unsigned int, void *); + // With ALPN callback is for a server side only, for a client m_npnContext.status + // will stay in NextProtocolNegotiationNone. + q_SSL_CTX_set_alpn_select_cb(ctx, alpn_callback_t(next_proto_cb), &m_npnContext); + // Client: + q_SSL_set_alpn_protos(ssl, m_npnContext.data, m_npnContext.len); + } #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ... - // And in case our peer does not support ALPN, but supports NPN: - q_SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &m_npnContext); + // And in case our peer does not support ALPN, but supports NPN: + q_SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &m_npnContext); + } } #endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp index ca6c58117d..690251727d 100644 --- a/src/network/ssl/qsslsocket.cpp +++ b/src/network/ssl/qsslsocket.cpp @@ -139,10 +139,21 @@ before the handshake phase with setLocalCertificate() and setPrivateKey(). \li The CA certificate database can be extended and customized with - addCaCertificate(), addCaCertificates(), addDefaultCaCertificate(), - addDefaultCaCertificates(), and QSslConfiguration::defaultConfiguration().setCaCertificates(). + QSslConfiguration::addCaCertificate(), + QSslConfiguration::addCaCertificates(). \endlist + To extend the list of \e default CA certificates used by the SSL sockets + during the SSL handshake you must update the default configuration, as + in the snippet below: + + \code + QList<QSslCertificate> certificates = getCertificates(); + QSslConfiguration configuration = QSslConfiguration::defaultConfiguration(); + configuration.addCaCertificates(certificates); + QSslConfiguration::setDefaultConfiguration(configuration); + \endcode + \note If available, root certificates on Unix (excluding \macos) will be loaded on demand from the standard certificate directories. If you do not want to load root certificates on demand, you need to call either @@ -1384,6 +1395,10 @@ QList<QSslCipher> QSslSocket::supportedCiphers() #endif // #if QT_DEPRECATED_SINCE(5, 5) /*! + \deprecated + + Use QSslConfiguration::addCaCertificates() instead. + Searches all files in the \a path for certificates encoded in the specified \a format and adds them to this socket's CA certificate database. \a path must be a file or a pattern matching one or more @@ -1411,6 +1426,10 @@ bool QSslSocket::addCaCertificates(const QString &path, QSsl::EncodingFormat for } /*! + \deprecated + + Use QSslConfiguration::addCaCertificate() instead. + Adds the \a certificate to this socket's CA certificate database. The CA certificate database is used by the socket during the handshake phase to validate the peer's certificate. @@ -1427,6 +1446,10 @@ void QSslSocket::addCaCertificate(const QSslCertificate &certificate) } /*! + \deprecated + + Use QSslConfiguration::addCaCertificates() instead. + Adds the \a certificates to this socket's CA certificate database. The CA certificate database is used by the socket during the handshake phase to validate the peer's certificate. @@ -1489,6 +1512,10 @@ QList<QSslCertificate> QSslSocket::caCertificates() const #endif // #if QT_DEPRECATED_SINCE(5, 5) /*! + \deprecated + + Use QSslConfiguration::addCaCertificates() on the default QSslConfiguration instead. + Searches all files in the \a path for certificates with the specified \a encoding and adds them to the default CA certificate database. \a path can be an explicit file, or it can contain @@ -1498,8 +1525,8 @@ QList<QSslCertificate> QSslSocket::caCertificates() const Each SSL socket's CA certificate database is initialized to the default CA certificate database. - \sa QSslConfiguration::caCertificates(), addCaCertificates(), - addDefaultCaCertificate() + \sa QSslConfiguration::caCertificates(), QSslConfiguration::addCaCertificates(), + QSslConfiguration::addDefaultCaCertificate() */ bool QSslSocket::addDefaultCaCertificates(const QString &path, QSsl::EncodingFormat encoding, QRegExp::PatternSyntax syntax) @@ -1508,11 +1535,15 @@ bool QSslSocket::addDefaultCaCertificates(const QString &path, QSsl::EncodingFor } /*! + \deprecated + + Use QSslConfiguration::addCaCertificate() on the default QSslConfiguration instead. + Adds \a certificate to the default CA certificate database. Each SSL socket's CA certificate database is initialized to the default CA certificate database. - \sa QSslConfiguration::defaultCaCertificates(), addCaCertificates() + \sa QSslConfiguration::caCertificates(), QSslConfiguration::addCaCertificates() */ void QSslSocket::addDefaultCaCertificate(const QSslCertificate &certificate) { @@ -1520,11 +1551,15 @@ void QSslSocket::addDefaultCaCertificate(const QSslCertificate &certificate) } /*! + \deprecated + + Use QSslConfiguration::addCaCertificates() on the default QSslConfiguration instead. + Adds \a certificates to the default CA certificate database. Each SSL socket's CA certificate database is initialized to the default CA certificate database. - \sa QSslConfiguration::caCertificates(), addCaCertificates() + \sa QSslConfiguration::caCertificates(), QSslConfiguration::addCaCertificates() */ void QSslSocket::addDefaultCaCertificates(const QList<QSslCertificate> &certificates) { diff --git a/src/network/ssl/qsslsocket.h b/src/network/ssl/qsslsocket.h index 35943c7d7e..843e2d15f5 100644 --- a/src/network/ssl/qsslsocket.h +++ b/src/network/ssl/qsslsocket.h @@ -164,18 +164,22 @@ public: #endif // QT_DEPRECATED_SINCE(5, 5) // CA settings. - bool addCaCertificates(const QString &path, QSsl::EncodingFormat format = QSsl::Pem, +#if QT_DEPRECATED_SINCE(5, 15) + QT_DEPRECATED_X("Use QSslConfiguration::addCaCertificates()") bool addCaCertificates(const QString &path, QSsl::EncodingFormat format = QSsl::Pem, QRegExp::PatternSyntax syntax = QRegExp::FixedString); - void addCaCertificate(const QSslCertificate &certificate); - void addCaCertificates(const QList<QSslCertificate> &certificates); + QT_DEPRECATED_X("Use QSslConfiguration::addCaCertificate()") void addCaCertificate(const QSslCertificate &certificate); + QT_DEPRECATED_X("Use QSslConfiguration::addCaCertificates()") void addCaCertificates(const QList<QSslCertificate> &certificates); +#endif // QT_DEPRECATED_SINCE(5, 15) #if QT_DEPRECATED_SINCE(5, 5) QT_DEPRECATED_X("Use QSslConfiguration::setCaCertificates()") void setCaCertificates(const QList<QSslCertificate> &certificates); QT_DEPRECATED_X("Use QSslConfiguration::caCertificates()") QList<QSslCertificate> caCertificates() const; #endif // QT_DEPRECATED_SINCE(5, 5) - static bool addDefaultCaCertificates(const QString &path, QSsl::EncodingFormat format = QSsl::Pem, +#if QT_DEPRECATED_SINCE(5, 15) + QT_DEPRECATED static bool addDefaultCaCertificates(const QString &path, QSsl::EncodingFormat format = QSsl::Pem, QRegExp::PatternSyntax syntax = QRegExp::FixedString); - static void addDefaultCaCertificate(const QSslCertificate &certificate); - static void addDefaultCaCertificates(const QList<QSslCertificate> &certificates); + QT_DEPRECATED static void addDefaultCaCertificate(const QSslCertificate &certificate); + QT_DEPRECATED static void addDefaultCaCertificates(const QList<QSslCertificate> &certificates); +#endif // QT_DEPRECATED_SINCE(5, 15) #if QT_DEPRECATED_SINCE(5, 5) QT_DEPRECATED static void setDefaultCaCertificates(const QList<QSslCertificate> &certificates); QT_DEPRECATED static QList<QSslCertificate> defaultCaCertificates(); diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp index 1725937bc2..e0e065679d 100644 --- a/src/network/ssl/qsslsocket_mac.cpp +++ b/src/network/ssl/qsslsocket_mac.cpp @@ -928,6 +928,13 @@ bool QSslSocketBackendPrivate::initSslContext() QCFType<CFMutableArrayRef> cfNames(CFArrayCreateMutable(nullptr, 0, &kCFTypeArrayCallBacks)); if (cfNames) { for (const QByteArray &name : protocolNames) { + if (name.size() > 255) { + qCWarning(lcSsl) << "TLS ALPN extension" << name + << "is too long and will be ignored."; + continue; + } else if (name.isEmpty()) { + continue; + } QCFString cfName(QString::fromLatin1(name).toCFString()); CFArrayAppendValue(cfNames, cfName); } diff --git a/src/network/ssl/qsslsocket_openssl11.cpp b/src/network/ssl/qsslsocket_openssl11.cpp index 28be4f2e79..1d935c5217 100644 --- a/src/network/ssl/qsslsocket_openssl11.cpp +++ b/src/network/ssl/qsslsocket_openssl11.cpp @@ -143,13 +143,12 @@ void QSslSocketPrivate::ensureCiphersAndCertsLoaded() if (!s_loadRootCertsOnDemand) setDefaultCaCertificates(systemCaCertificates()); #ifdef Q_OS_WIN - //Enabled for fetching additional root certs from windows update on windows 6+ + //Enabled for fetching additional root certs from windows update on windows. //This flag is set false by setDefaultCaCertificates() indicating the app uses //its own cert bundle rather than the system one. //Same logic that disables the unix on demand cert loading. //Unlike unix, we do preload the certificates from the cert store. - if (QOperatingSystemVersion::current() >= QOperatingSystemVersion::WindowsVista) - s_loadRootCertsOnDemand = true; + s_loadRootCertsOnDemand = true; #endif } diff --git a/src/network/ssl/qsslsocket_qt.cpp b/src/network/ssl/qsslsocket_qt.cpp index b0fb60ea76..9ff9a66c05 100644 --- a/src/network/ssl/qsslsocket_qt.cpp +++ b/src/network/ssl/qsslsocket_qt.cpp @@ -72,6 +72,7 @@ static QAsn1Element _q_PKCS7_data(const QByteArray &data) Some test vectors: http://www.drh-consultancy.demon.co.uk/test.txt + \internal */ static QByteArray _q_PKCS12_keygen(char id, const QByteArray &salt, const QString &passPhrase, int n, int r) { diff --git a/src/network/ssl/qsslsocket_schannel.cpp b/src/network/ssl/qsslsocket_schannel.cpp index c254659a33..d7fb080b49 100644 --- a/src/network/ssl/qsslsocket_schannel.cpp +++ b/src/network/ssl/qsslsocket_schannel.cpp @@ -408,13 +408,17 @@ QByteArray createAlpnString(const QByteArrayList &nextAllowedProtocols) for (QByteArray proto : nextAllowedProtocols) { if (proto.size() > 255) { qCWarning(lcSsl) << "TLS ALPN extension" << proto - << "is too long and will be truncated to 255 characters."; - proto = proto.left(255); + << "is too long and will be ignored."; + continue; + } else if (proto.isEmpty()) { + continue; } protocolString += char(proto.length()) + proto; } return protocolString; }(); + if (names.isEmpty()) + return alpnString; const quint16 namesSize = names.size(); const quint32 alpnId = SecApplicationProtocolNegotiationExt_ALPN; @@ -824,12 +828,17 @@ bool QSslSocketBackendPrivate::acceptContext() &expiry // ptsTimeStamp ); + if (status == SEC_E_INCOMPLETE_MESSAGE) { + // Need more data + return true; + } + if (inBuffers[1].BufferType == SECBUFFER_EXTRA) { // https://docs.microsoft.com/en-us/windows/desktop/secauthn/extra-buffers-returned-by-schannel // inBuffers[1].cbBuffer indicates the amount of bytes _NOT_ processed, the rest need to // be stored. intermediateBuffer = intermediateBuffer.right(int(inBuffers[1].cbBuffer)); - } else if (status != SEC_E_INCOMPLETE_MESSAGE) { + } else { /* No 'extra' data, message not incomplete */ intermediateBuffer.clear(); } @@ -1065,7 +1074,6 @@ bool QSslSocketBackendPrivate::verifyHandshake() } schannelState = SchannelState::Done; - peerCertVerified = true; return true; } @@ -1148,7 +1156,6 @@ void QSslSocketBackendPrivate::reset() connectionEncrypted = false; shutdown = false; - peerCertVerified = false; renegotiating = false; } @@ -1311,7 +1318,9 @@ void QSslSocketBackendPrivate::transmit() #endif intermediateBuffer = ciphertext.right(int(dataBuffer[3].cbBuffer)); } - } else if (status == SEC_E_INCOMPLETE_MESSAGE) { + } + + if (status == SEC_E_INCOMPLETE_MESSAGE) { // Need more data before we can decrypt.. to the buffer it goes! #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl, "We didn't have enough data to decrypt anything, will try again!"); @@ -1356,6 +1365,7 @@ void QSslSocketBackendPrivate::transmit() #endif schannelState = SchannelState::Renegotiate; renegotiating = true; + // We need to call 'continueHandshake' or else there's no guarantee it ever gets called continueHandshake(); break; @@ -1521,7 +1531,7 @@ void QSslSocketBackendPrivate::continueHandshake() case SchannelState::VerifyHandshake: // if we're in shutdown or renegotiating then we might not need to verify // (since we already did) - if (!peerCertVerified && !verifyHandshake()) { + if (!verifyHandshake()) { shutdown = true; // Skip sending shutdown alert q->abort(); // We don't want to send buffered data disconnectFromHost(); diff --git a/src/network/ssl/qsslsocket_schannel_p.h b/src/network/ssl/qsslsocket_schannel_p.h index 9879e2fc60..6ab200e1f9 100644 --- a/src/network/ssl/qsslsocket_schannel_p.h +++ b/src/network/ssl/qsslsocket_schannel_p.h @@ -147,7 +147,6 @@ private: ULONG contextAttributes = 0; bool renegotiating = false; - bool peerCertVerified = false; }; QT_END_NAMESPACE |