diff options
Diffstat (limited to 'src/network/ssl')
| -rw-r--r-- | src/network/ssl/qsslcertificate.cpp | 4 | ||||
| -rw-r--r-- | src/network/ssl/qsslcertificate.h | 2 | ||||
| -rw-r--r-- | src/network/ssl/qsslcontext_openssl.cpp | 4 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket.cpp | 23 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 3 |
5 files changed, 19 insertions, 17 deletions
diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp index 6f91ccdb4d..22d66770e5 100644 --- a/src/network/ssl/qsslcertificate.cpp +++ b/src/network/ssl/qsslcertificate.cpp @@ -446,8 +446,8 @@ QByteArray QSslCertificate::digest(QCryptographicHash::Algorithm algorithm) cons /*! Searches all files in the \a path for certificates encoded in the - specified \a format and returns them in a list. \e must be a file or a - pattern matching one or more files, as specified by \a syntax. + specified \a format and returns them in a list. \a path must be a file + or a pattern matching one or more files, as specified by \a syntax. Example: diff --git a/src/network/ssl/qsslcertificate.h b/src/network/ssl/qsslcertificate.h index af605b0629..d58cfcf5d1 100644 --- a/src/network/ssl/qsslcertificate.h +++ b/src/network/ssl/qsslcertificate.h @@ -97,7 +97,7 @@ public: bool isNull() const; #if QT_DEPRECATED_SINCE(5,0) QT_DEPRECATED inline bool isValid() const { - const QDateTime currentTime = QDateTime::currentDateTime(); + const QDateTime currentTime = QDateTime::currentDateTimeUtc(); return currentTime >= effectiveDate() && currentTime <= expiryDate() && !isBlacklisted(); diff --git a/src/network/ssl/qsslcontext_openssl.cpp b/src/network/ssl/qsslcontext_openssl.cpp index b88ab54038..68caaeb6dc 100644 --- a/src/network/ssl/qsslcontext_openssl.cpp +++ b/src/network/ssl/qsslcontext_openssl.cpp @@ -215,6 +215,8 @@ init_context: return sslContext; } + const QDateTime now = QDateTime::currentDateTimeUtc(); + // Add all our CAs to this store. foreach (const QSslCertificate &caCertificate, sslContext->sslConfiguration.caCertificates()) { // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: @@ -228,7 +230,7 @@ init_context: // certificates mixed with valid ones. // // See also: QSslSocketBackendPrivate::verify() - if (caCertificate.expiryDate() >= QDateTime::currentDateTime()) { + if (caCertificate.expiryDate() >= now) { q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(sslContext->ctx), (X509 *)caCertificate.handle()); } } diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp index 0472a9a198..805adc734f 100644 --- a/src/network/ssl/qsslsocket.cpp +++ b/src/network/ssl/qsslsocket.cpp @@ -131,19 +131,18 @@ before the handshake phase with setLocalCertificate() and setPrivateKey(). \li The CA certificate database can be extended and customized with - addCaCertificate(), addCaCertificates(), setCaCertificates(), - addDefaultCaCertificate(), addDefaultCaCertificates(), and - setDefaultCaCertificates(). + addCaCertificate(), addCaCertificates(), addDefaultCaCertificate(), + addDefaultCaCertificates(), and QSslConfiguration::defaultConfiguration().setCaCertificates(). \endlist \note If available, root certificates on Unix (excluding OS X) will be - loaded on demand from the standard certificate directories. If - you do not want to load root certificates on demand, you need to call either - the static function setDefaultCaCertificates() before the first SSL handshake - is made in your application, (e.g. via - "QSslSocket::setDefaultCaCertificates(QSslSocket::systemCaCertificates());"), - or call setCaCertificates() on your QSslSocket instance prior to the SSL - handshake. + loaded on demand from the standard certificate directories. If you do not + want to load root certificates on demand, you need to call either + QSslConfiguration::defaultConfiguration().setCaCertificates() before the first + SSL handshake is made in your application (for example, via passing + QSslSocket::systemCaCertificates() to it), or call + QSslConfiguration::defaultConfiguration()::setCaCertificates() on your QSslSocket instance + prior to the SSL handshake. For more information about ciphers and certificates, refer to QSslCipher and QSslCertificate. @@ -1311,8 +1310,8 @@ QList<QSslCipher> QSslSocket::supportedCiphers() /*! Searches all files in the \a path for certificates encoded in the specified \a format and adds them to this socket's CA certificate - database. \a path can be explicit, or it can contain wildcards in - the format specified by \a syntax. Returns \c true if one or more + database. \a path must be a file or a pattern matching one or more + files, as specified by \a syntax. Returns \c true if one or more certificates are added to the socket's CA certificate database; otherwise returns \c false. diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index a8e4c61e9a..dd47dfc45f 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1660,6 +1660,7 @@ QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & setDefaultCaCertificates(defaultCaCertificates() + systemCaCertificates()); } + const QDateTime now = QDateTime::currentDateTimeUtc(); foreach (const QSslCertificate &caCertificate, QSslConfiguration::defaultConfiguration().caCertificates()) { // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: // @@ -1672,7 +1673,7 @@ QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & // certificates mixed with valid ones. // // See also: QSslContext::fromConfiguration() - if (caCertificate.expiryDate() >= QDateTime::currentDateTime()) { + if (caCertificate.expiryDate() >= now) { q_X509_STORE_add_cert(certStore, reinterpret_cast<X509 *>(caCertificate.handle())); } } |