2 files changed, 28 insertions, 4 deletions

diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
index ce78399e01..6433b84e80 100644
--- a/src/network/ssl/qsslcertificate.cpp
+++ b/src/network/ssl/qsslcertificate.cpp
@@ -143,7 +143,7 @@ QSslCertificate::QSslCertificate(QIODevice *device, QSsl::EncodingFormat format)
     : d(new QSslCertificatePrivate)
 {
     QSslSocketPrivate::ensureInitialized();
-    if (device)
+    if (device && QSslSocket::supportsSsl())
         d->init(device->readAll(), format);
 }
 
@@ -157,7 +157,8 @@ QSslCertificate::QSslCertificate(const QByteArray &data, QSsl::EncodingFormat fo
     : d(new QSslCertificatePrivate)
 {
     QSslSocketPrivate::ensureInitialized();
-    d->init(data, format);
+    if (QSslSocket::supportsSsl())
+        d->init(data, format);
 }
 
 /*!
diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp
index 0456b7cdc7..0a9588deea 100644
--- a/src/network/ssl/qsslsocket_mac.cpp
+++ b/src/network/ssl/qsslsocket_mac.cpp
@@ -1226,9 +1226,32 @@ bool QSslSocketBackendPrivate::verifyPeerTrust()
         QCFType<SecCertificateRef> certRef = SecCertificateCreateWithData(NULL, certData);
         CFArrayAppendValue(certArray, certRef);
     }
+
     SecTrustSetAnchorCertificates(trust, certArray);
-    // Secure Transport should use anchors only from our QSslConfiguration:
-    SecTrustSetAnchorCertificatesOnly(trust, true);
+
+    // By default SecTrustEvaluate uses both CA certificates provided in
+    // QSslConfiguration and the ones from the system database. This behavior can
+    // be unexpected if a user's code tries to limit the trusted CAs to those
+    // explicitly set in QSslConfiguration.
+    // Since on macOS we initialize the default QSslConfiguration copying the
+    // system CA certificates (using SecTrustSettingsCopyCertificates) we can
+    // call SecTrustSetAnchorCertificatesOnly(trust, true) to force SecTrustEvaluate
+    // to use anchors only from our QSslConfiguration.
+    // Unfortunately, SecTrustSettingsCopyCertificates is not available on iOS
+    // and the default QSslConfiguration always has an empty list of system CA
+    // certificates. This leaves no way to provide client code with access to the
+    // actual system CA certificate list (which most use-cases need) other than
+    // by letting SecTrustEvaluate fall through to the system list; so, in this case
+    // (even though the client code may have provided its own certs), we retain
+    // the default behavior.
+
+#ifdef Q_OS_MACOS
+    const bool anchorsFromConfigurationOnly = true;
+#else
+    const bool anchorsFromConfigurationOnly = false;
+#endif
+
+    SecTrustSetAnchorCertificatesOnly(trust, anchorsFromConfigurationOnly);
 
     SecTrustResultType trustResult = kSecTrustResultInvalid;
     SecTrustEvaluate(trust, &trustResult);