diff options
Diffstat (limited to 'src/network/ssl')
-rw-r--r-- | src/network/ssl/qsslcertificate.cpp | 5 | ||||
-rw-r--r-- | src/network/ssl/qsslsocket_mac.cpp | 27 |
2 files changed, 28 insertions, 4 deletions
diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp index ce78399e01..6433b84e80 100644 --- a/src/network/ssl/qsslcertificate.cpp +++ b/src/network/ssl/qsslcertificate.cpp @@ -143,7 +143,7 @@ QSslCertificate::QSslCertificate(QIODevice *device, QSsl::EncodingFormat format) : d(new QSslCertificatePrivate) { QSslSocketPrivate::ensureInitialized(); - if (device) + if (device && QSslSocket::supportsSsl()) d->init(device->readAll(), format); } @@ -157,7 +157,8 @@ QSslCertificate::QSslCertificate(const QByteArray &data, QSsl::EncodingFormat fo : d(new QSslCertificatePrivate) { QSslSocketPrivate::ensureInitialized(); - d->init(data, format); + if (QSslSocket::supportsSsl()) + d->init(data, format); } /*! diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp index 0456b7cdc7..0a9588deea 100644 --- a/src/network/ssl/qsslsocket_mac.cpp +++ b/src/network/ssl/qsslsocket_mac.cpp @@ -1226,9 +1226,32 @@ bool QSslSocketBackendPrivate::verifyPeerTrust() QCFType<SecCertificateRef> certRef = SecCertificateCreateWithData(NULL, certData); CFArrayAppendValue(certArray, certRef); } + SecTrustSetAnchorCertificates(trust, certArray); - // Secure Transport should use anchors only from our QSslConfiguration: - SecTrustSetAnchorCertificatesOnly(trust, true); + + // By default SecTrustEvaluate uses both CA certificates provided in + // QSslConfiguration and the ones from the system database. This behavior can + // be unexpected if a user's code tries to limit the trusted CAs to those + // explicitly set in QSslConfiguration. + // Since on macOS we initialize the default QSslConfiguration copying the + // system CA certificates (using SecTrustSettingsCopyCertificates) we can + // call SecTrustSetAnchorCertificatesOnly(trust, true) to force SecTrustEvaluate + // to use anchors only from our QSslConfiguration. + // Unfortunately, SecTrustSettingsCopyCertificates is not available on iOS + // and the default QSslConfiguration always has an empty list of system CA + // certificates. This leaves no way to provide client code with access to the + // actual system CA certificate list (which most use-cases need) other than + // by letting SecTrustEvaluate fall through to the system list; so, in this case + // (even though the client code may have provided its own certs), we retain + // the default behavior. + +#ifdef Q_OS_MACOS + const bool anchorsFromConfigurationOnly = true; +#else + const bool anchorsFromConfigurationOnly = false; +#endif + + SecTrustSetAnchorCertificatesOnly(trust, anchorsFromConfigurationOnly); SecTrustResultType trustResult = kSecTrustResultInvalid; SecTrustEvaluate(trust, &trustResult); |