summaryrefslogtreecommitdiffstats
path: root/src/network/ssl/qsslsocket_openssl.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Avoid accessing the internals of the SSL_CIPHER struct.Richard J. Moore2014-05-191-3/+1
| | | | | | | | | | | Avoid accessing the internals of the SSL_CIPHER struct since this has changed size etc. over time leading to binary incompatibilities. Task-number: QTBUG-32423 Task-number: QTBUG-23363 Change-Id: I8cb399484e3a62be7d511f4b8b22c876825c87d4 Reviewed-by: Peter Hartmann <phartmann@blackberry.com> Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
* Merge remote-tracking branch 'origin/release' into stableFrederik Gladhorn2014-05-121-12/+12
|\ | | | | | | Change-Id: I9300572e2b74f0564b2589cbd0fbdf24850f68df
| * Ignore expired certificate during certificate validationDaniel Molkentin2014-05-111-12/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL has a bug when validating a chain with two certificates. If a certificate exists twice (which is a valid use case for renewed CAs), and the first one it hits is expired (which depends on the order on data structure internal to OpenSSL), it will fail to validate the chain. This is only a bandaid fix, which trades improved chain validation for error reporting accuracy. However given that reissuing of CA certs is a real problem that is only getting worse, this fix is needed. See also: https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#WARNINGS [ChangeLog][QtNetwork][QSslSocket] Added a workaround to an OpenSSL problem that may cause errors when the trust store contains two certificates of the issuing CA, one of which is expired. Task-number: QTBUG-38896 Change-Id: I8f17972ac94555648098624e470fff0eff2e7940 Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Frederik Gladhorn <frederik.gladhorn@digia.com>
* | Fix build against older OpenSSL.Sérgio Martins2014-04-141-0/+2
|/ | | | | | | The declaration of q_SSL_ctrl is ifdefed, so ifdef it's usage too. Change-Id: I99a53af6f4f24ed991d39ab89f18e03b8f38c617 Reviewed-by: Richard J. Moore <rich@kde.org>
* Ensure we initialize things before checking the openssl version.Richard J. Moore2014-04-081-0/+3
| | | | | | Task-number: QTBUG-37783 Change-Id: Ie276e597062d8bfc74ef57251ed21a94020e030f Reviewed-by: Friedemann Kleint <Friedemann.Kleint@digia.com>
* Fix crash if SSL_get0_next_proto_negotiated() cannot be resolved.Friedemann Kleint2014-03-201-4/+6
| | | | | | | | | | | | | Crash occurs after warnings like: QSslSocket: cannot call unresolved function SSL_get0_next_proto_negotiated Task-number: QTBUG-37515 Task-number: QTBUG-33208 Change-Id: I18b803e4709b9d5f6b33717c2ac43179676351a4 Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
* SSL: add support for the Next Protocol Negotiation extensionPeter Hartmann2014-02-111-0/+9
| | | | | | | | | | | | ... which is needed to negotiate the SPDY protocol. [ChangeLog][QtNetwork][QSslConfiguration] Added support for the Next Protocol Negotiation (NPN) TLS extension. Task-number: QTBUG-33208 Change-Id: I3c945f9b7e2d2ffb0814bfdd3e87de1dae6c20ef Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* Ensure weak ciphers are not part of the default SSL configuration.Richard J. Moore2014-01-211-1/+5
| | | | | | | | | | | | | | | | | | | | Any cipher that is < 128 bits is excluded from the default SSL configuration. These ciphers are still included in the list of availableCiphers() and can be used by applications if required. Calling QSslSocket::setDefaultCiphers(QSslSocket::availableCiphers()) will restore the old behavior. Note that in doing so I spotted that calling defaultCiphers() before doing other actions with SSL had an existing bug that I've addressed as part of the change. [ChangeLog][Important Behavior Changes] The default set of ciphers used by QSslSocket has been changed to exclude ciphers that are using key lengths smaller than 128 bits. These ciphers are still available and can be enabled by applications if required. Change-Id: If2241dda67b624e5febf788efa1369f38c6b1dba Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
* Resolve error caused by server-initiated TLS renegotiationScott Deboy2013-09-171-5/+16
| | | | | | | | | | Updating the SSL_write code to correctly handle SSL_ERROR_WANT_WRITE and SSL_ERROR_WANT_READ, which are not actual errors. Change-Id: Icd7369b438ef402bf438c3fcc64514a1f9f45452 Reviewed-by: Peter Hartmann <phartmann@blackberry.com> Reviewed-by: Lars Knoll <lars.knoll@digia.com> Reviewed-by: Richard J. Moore <rich@kde.org>
* Merge remote-tracking branch 'origin/stable' into devFrederik Gladhorn2013-08-141-29/+38
|\ | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: configure mkspecs/macx-xcode/Info.plist.app mkspecs/macx-xcode/Info.plist.lib qmake/doc/qmake.qdocconf src/corelib/global/qglobal.h tests/auto/other/exceptionsafety/exceptionsafety.pro tests/auto/widgets/widgets/qcombobox/tst_qcombobox.cpp Change-Id: I3c769a4a82dc2e99a12c69123fbf17613fd2ac2a
| * Android: Get SSL root certificates from TrustManagerPaul Olav Tvete2013-07-291-29/+36
| | | | | | | | | | | | | | | | On Android, when not using Ministro, we cannot read certificates from the file system, so we have to get them through Java APIs instead. Change-Id: I415329fcb45836735c1112dbe832214b3c73dc9a Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com>
| * QNX: hardcode on-demand SSL root cert loadingPeter Hartmann2013-07-261-0/+2
| | | | | | | | | | | | | | | | | | | | | | The c_rehash'ed symlinks are always there on QNX, so no need to check at every app start for the feature. This saves ~ 17ms at each app start. Task-number: QTBUG-32549 Change-Id: Ia9df60aba9d1bd70868b7004b847867a2128f600 Reviewed-by: Andreas Holzammer <andreas.holzammer@kdab.com> Reviewed-by: Rafael Roquetto <rafael.roquetto@kdab.com>
* | OSX: Make QSslSocket compile on 10.9Liang Qi2013-08-061-13/+13
| | | | | | | | | | | | | | | | | | | | CSSM_DATA_PTR was deprecated in 10.7. Replace SecCertificateGetData with SecCertificateCopyData. Task-number: QTBUG-32715 Change-Id: I762687370689b5b5c032567240667631b1ffde98 Reviewed-by: Jake Petroules <jake.petroules@petroules.com> Reviewed-by: Gabriel de Dietrich <gabriel.dedietrich@digia.com>
* | Merge remote-tracking branch 'origin/stable' into devFrederik Gladhorn2013-06-041-1/+1
|\| | | | | | | | | | | | | | | Conflicts: src/corelib/global/qglobal.h src/plugins/platforms/cocoa/qnsview.mm Change-Id: I6fe345df5c417cb7a55a3f91285d9b47a22c04fa
| * Fixes: QtNetwork compilation for OpenSSL < 1.0.0aavit2013-05-231-1/+1
| | | | | | | | | | | | | | | | | | | | Incorporate some more of the API changes between OpenSSL versions 0.9.8 and 1.0.0. Task-number: QTBUG-31140 Change-Id: Ie719b34e3ec8751f0fbc07d315e82816c110762c Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
* | Merge remote-tracking branch 'origin/stable' into devFrederik Gladhorn2013-05-231-3/+3
|\| | | | | | | | | | | | | | | | | | | | | Conflicts: src/corelib/io/qdatastream.cpp src/corelib/io/qdatastream.h src/corelib/json/qjsonwriter.cpp src/plugins/platforms/cocoa/qcocoawindow.mm src/plugins/platforms/xcb/qxcbkeyboard.cpp Change-Id: I46fef1455f5a9f2ce1ec394a3c65881093c51b62
| * Utilize the new Q_OS_MACX define.Jake Petroules2013-05-091-3/+3
| | | | | | | | | | | | | | | | | | | | All occurrences of `#if defined(Q_OS_MAC) && !defined(Q_OS_IOS)` have been replaced with `#if defined(Q_OS_MACX)`. Change-Id: I5055d9bd1845136beb8ed1c79a8f0f2c0897751a Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com> Reviewed-by: Tor Arne Vestbø <tor.arne.vestbo@digia.com> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
* | QSslConfiguration: add API to persist and resume SSL sessionsPeter Hartmann2013-05-101-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | Session tickets can be cached on the client side for hours (e.g. graph.facebook.com: ~ 24 hours, api.twitter.com: 4 hours), because the server does not need to maintain state. We need public API for it so an application can cache the session (e.g. to disk) and resume a session already with the 1st handshake, saving one network round trip. Task-number: QTBUG-20668 Change-Id: I10255932dcd528ee1231538cb72b52b97f9f4a3c Reviewed-by: Richard J. Moore <rich@kde.org>
* | Merge remote-tracking branch 'origin/stable' into devFrederik Gladhorn2013-04-291-4/+10
|\| | | | | | | Change-Id: I2a54058b64ac69c78b4120fdaf09b96e025a4c6c
| * SSL internals: do not write after shutting down the socketPeter Hartmann2013-04-231-4/+10
| | | | | | | | | | | | | | | | | | ... but rather throw an error, so the HTTP layer can recover from a SSL shutdown gracefully. In case the other side sent us a shutdown, we should not send one as well, as it results in an error. Change-Id: Ie7a56cf3008b6ead912aade18dbec67846e2a87e Reviewed-by: Richard J. Moore <rich@kde.org>
* | Merge remote-tracking branch 'origin/stable' into devFrederik Gladhorn2013-04-221-2/+6
|\| | | | | | | Change-Id: I059725e3b7d7ffd5a16a0931e6c17200917172b5
| * SSL internals: fix memory corruption using QSslConfigurationPrivatePeter Hartmann2013-04-181-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | We are passing a QSslConfigurationPrivate that is allocated on the stack (in QSslSocketBackendPrivate::initSslContext()) to QSslConfiguration::QSslConfiguration(QSslConfigurationPrivate *dd). When the SSL context is destroyed, this object is not there any more. So now we create a deep copy of the configuration like we do in QSslSocket::sslConfiguration(). Task-number: QTBUG-30648 Change-Id: Iaefaa9c00fd6bfb707eba5ac59e9508bf951f8a5 Reviewed-by: Richard J. Moore <rich@kde.org>
* | SSL namespace: Add enum to disable SSL session sharingPeter Hartmann2013-04-221-1/+1
|/ | | | | | | | | | There is already an enum to disable SSL session tickets, which has been used to disable session sharing for now. However, SSL session sharing is not the same as SSL session tickets: Session sharing is built into the SSL protocol, while session tickets is a TLS extension (RFC 5077). Change-Id: If76b99c94b346cfb00e47366e66098f6334fd9bc Reviewed-by: Richard J. Moore <rich@kde.org>
* SSL code: store SSL parameters for debugging, guarded by definePeter Hartmann2013-03-221-0/+35
| | | | | | | | | | | ... so SSL traffic can be decrypted with e.g. tcpdump / Wireshark. For this to work, the define needs to be uncommented and QtNetwork recompiled. This will create a file in /tmp/qt-ssl-keys which can be fed into Wireshark. A recent version of Wireshark is needed for this to work. Change-Id: I4e41fd2e6122260cd96d443b1360edc71b08b5fd Reviewed-by: Richard J. Moore <rich@kde.org>
* Introducing the Qt Android portPaul Olav Tvete2013-03-051-1/+16
| | | | | | | | | | | | | | | | | | | | | Based on the Necessitas project by Bogdan Vatra. Contributors to the Qt5 project: BogDan Vatra <bogdan@kde.org> Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com> hjk <hjk121@nokiamail.com> Oswald Buddenhagen <oswald.buddenhagen@digia.com> Paul Olav Tvete <paul.tvete@digia.com> Robin Burchell <robin+qt@viroteck.net> Samuel Rødal <samuel.rodal@digia.com> Yoann Lopes <yoann.lopes@digia.com> The full history of the Qt5 port can be found in refs/old-heads/android, SHA-1 249ca9ca2c7d876b91b31df9434dde47f9065d0d Change-Id: Iff1a7b2dbb707c986f2639e65e39ed8f22430120 Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com> Reviewed-by: Lars Knoll <lars.knoll@digia.com>
* Remove ifdefs for supporting Mac OS <= 10.5Tor Arne Vestbø2013-02-181-10/+2
| | | | | | | | Qt5 requires Mac OS 10.6, so we can remove checks such as if MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_6 Change-Id: Iea21727a277291148704ecf9677ed0b68c24920f Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
* Merge remote-tracking branch 'origin/stable' into devFrederik Gladhorn2013-02-141-0/+15
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: src/concurrent/doc/qtconcurrent.qdocconf src/corelib/doc/qtcore.qdocconf src/corelib/global/qglobal.h src/dbus/doc/qtdbus.qdocconf src/dbus/qdbusmessage.h src/gui/doc/qtgui.qdocconf src/gui/image/qimagereader.cpp src/network/doc/qtnetwork.qdocconf src/opengl/doc/qtopengl.qdocconf src/opengl/qgl.h src/plugins/platforms/windows/qwindowswindow.cpp src/printsupport/doc/qtprintsupport.qdocconf src/sql/doc/qtsql.qdocconf src/testlib/doc/qttestlib.qdocconf src/tools/qdoc/doc/config/qt-cpp-ignore.qdocconf src/widgets/doc/qtwidgets.qdocconf src/xml/doc/qtxml.qdocconf Change-Id: Ie9a1fa2cc44bec22a0b942e817a1095ca3414629
| * Remove Nokia from ssl linking exception.Frederik Gladhorn2013-02-111-0/+15
| | | | | | | | | | | | Change-Id: I559d4dd8789a249af855f6fe9bfe013ba1d77132 Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Lars Knoll <lars.knoll@digia.com>
* | SSL: Implement session sharing and use it from QNetworkAccessManagerPeter Hartmann2013-02-061-207/+36
|/ | | | | | | | This improves performance since a network round trip can be avoided. Change-Id: I1aaff7e48ef9638cb137de0f43942c3a4dd2884a Initial-patch-by: Markus Goetz <markus@woboq.com> Reviewed-by: Richard J. Moore <rich@kde.org>
* Update copyright year in Digia's license headersSergio Ahumada2013-01-181-1/+1
| | | | | Change-Id: Ic804938fc352291d011800d21e549c10acac66fb Reviewed-by: Lars Knoll <lars.knoll@digia.com>
* Fix binary incompatibility between openssl versionsShane Kearns2012-12-101-3/+3
| | | | | | | | | | | | | | OpenSSL changed the layout of X509_STORE_CTX between 0.9 and 1.0 So we have to consider this struct as private implementation, and use the access functions instead. This bug would cause certificate verification problems if a different version of openssl is loaded at runtime to the headers Qt was compiled against. Task-number: QTBUG-28343 Change-Id: I47fc24336f7d9c80f08f9c8ba6debc51a5591258 Reviewed-by: Richard J. Moore <rich@kde.org>
* Fix typo in SSL error message.Friedemann Kleint2012-11-271-2/+2
| | | | | Change-Id: If72d80979e1d2ea909227785cd691be39d75c8ab Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
* wrap QLibrary related code with QT_NO_LIBRARYJing Bai2012-09-241-0/+2
| | | | | | | | To fix a compile error when QT_NO_LIBRARY is defined. Change-Id: Ie72b60b8204641fa05f4cdbf66e908cb3526217e Reviewed-by: Jing Bai <jing.bai@digia.com> Reviewed-by: Richard J. Moore <rich@kde.org>
* Change copyrights from Nokia to DigiaIikka Eklund2012-09-221-24/+24
| | | | | | | | Change copyrights and license headers from Nokia to Digia Change-Id: If1cc974286d29fd01ec6c19dd4719a67f4c3f00e Reviewed-by: Lars Knoll <lars.knoll@digia.com> Reviewed-by: Sergio Ahumada <sergio.ahumada@digia.com>
* Fix typo in docs.Frederik Gladhorn2012-09-191-1/+1
| | | | | Change-Id: Icfafa00062b442903579dd7993c75fffb60187f9 Reviewed-by: Peter Hartmann <phartmann@rim.com>
* Add support for explicit TLS 1.1 and 1.2Brendan Long2012-08-291-0/+20
| | | | | | | | | | | | Add SslProtocol enums TlsV1_1 and TlsV1_2 and use the appropriate OpenSSL methods when they're selected (TLSv1_1_client_method, TLSv1_2_client_method, TLSv1_1_server_method and TLSv1_2_server_method). This allows us to explicitly use TLS 1.1 or 1.2. Task-number: QTBUG-26866 Change-Id: I159da548546fa746c20e9e96bc0e5b785e4e761b Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
* QtNetwork: use nullary version of qRegisterMetaType<T>("T")Marc Mutz2012-07-251-4/+0
| | | | | | | | | | | | | | | | | Using the nullary version has the advantage that multiple calls during a program run are much more efficient, since an inlined atomic is used to store the result. It also ensures that Q_DECLARE_METATYPE(T) has been used, whereas qRegisterMetaType<T>("T") will happily register anything. So I've added the macro where it was missing, or moved it to a central place when it existed hidden. In tst_qnetworkreply, this became a bit tricky, because a private header is conditionally included, so moved the Q_DECLARE_METATYPE() into a conditional section, too. Change-Id: I71484523e4277f4697b7d4b2ddc3505375162727 Reviewed-by: Stephen Kelly <stephen.kelly@kdab.com>
* QtNetwork: remove double buffering on socketsMartin Petersson2012-06-261-2/+3
| | | | | | | | | Removes the readBuffer from the QAbstractSocket since data is already buffered in the QIODevice. Change-Id: I4e50b791fd2852455e526fa2c07089d4d3f0b2a4 Reviewed-by: Prasanth Ullattil <prasanth.ullattil@nokia.com> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
* Fix deprecated API warningShane Kearns2012-05-231-1/+1
| | | | | | | | | | Check for blacklisting in case the application has blacklisted a cert before windows has (currently unlikely as the blacklist is hardcoded in Qt) Don't need to check for time validity because that's already checked by the windows API. Change-Id: I34da5c4a8a0f8851b9b7668fc421a93c360c8588 Reviewed-by: Richard J. Moore <rich@kde.org>
* Change remaining uses of {to,from}Ascii to {to,from}Latin1 [QtNetwork]Thiago Macieira2012-05-041-1/+1
| | | | | | | | | | | | This operation should be a no-op anyway, since at this point in time, the fromAscii and toAscii functions simply call their fromLatin1 and toLatin1 counterparts. Task-number: QTBUG-21872 Change-Id: I94cc301ea75cc689bcb6e2d417120cf14e36808d Reviewed-by: Lars Knoll <lars.knoll@nokia.com> Reviewed-by: Shane Kearns <shane.kearns@accenture.com> Reviewed-by: Richard J. Moore <rich@kde.org>
* Rename QAbstractSocket::PauseOnNotify -> PauseOnSslErrorsShane Kearns2012-05-041-1/+1
| | | | | | | | | | | | | | | Although we created an enum for pause modes to make 5.x binary compatible with 5.0, the enum value is not well named. In 5.1, we propose to add PauseOnProxyAuthentication to the enum. PauseOnNotify is not clear what it means, while PauseOnSslErrors is. Any new notification in a minor release would need a new enum value otherwise applications would get pauses they did not expect. Task-number: QTBUG-19032 Change-Id: I4dbb7467663b37ca7f0551d24a31bc013968bedc Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
* Fix windows cert fetcher if site presents full chainShane Kearns2012-05-041-1/+3
| | | | | | | | | | | | | | | | | If a website presents the complete certificate chain in the handshake i.e. site -> intermediate CA -> root CA then openssl gives a different error (SelfSignedCertificateInChain) Because of this windows feature, that either means the site is signed by an untrusted CA, or the CA trust status is unknown because we don't have the root cert in the cert store. In any case, calling the windows verification function results in a trusted chain & the root being added to the cert store. Task-number: QTBUG-24827 Change-Id: I2663ea2f86cd0b4dfde105d858ec1b39a340c1f6 Reviewed-by: Richard J. Moore <rich@kde.org>
* Optimise windows cert fetching and fix test case.Shane Kearns2012-05-031-4/+22
| | | | | | | | | | | | | If we're not going to verify the peer, or we know in advance that windows won't have a CA root then don't ask it to verify the certificate chain. The test case started failing in CI when the windows cert fetcher was integrated due to timing change. I've relaxed the timing requirement of the test to avoid it being unstable. Task-number: QTBUG-24827 Change-Id: I694f193f7d96962667f00aa01b9483b326e3e054 Reviewed-by: Martin Petersson <Martin.Petersson@nokia.com>
* Fixed compile of QSslSocket with -qtnamespace on Windows.Rohan McGovern2012-05-011-2/+4
| | | | | | | | | | | Q_DECLARE_METATYPE must be outside of the qt namespace. System headers must be included outside of the qt namespace. Change-Id: I2f48b1df87e5edae2baee6ce813af08d3e011dc0 Reviewed-by: Sergio Ahumada <sergio.ahumada@nokia.com> Reviewed-by: Toby Tomkins <toby.tomkins@nokia.com> Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
* QSslSocket: call to ERR_free_strings to free loaded error stringsMartin Petersson2012-04-201-0/+2
| | | | | | | | | | Since we are calling q_SSL_load_error_strings to load error strings we should call ERR_free_strings to free the memory again. Task-number: QTBUG-15732 Change-Id: Ie41291bb0e1434f82025378edfca51930712a8aa Reviewed-by: Shane Kearns <shane.kearns@accenture.com> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
* fix qsslsocket build in -permissive mode (assigning const char* to char*)Konstantin Ritt2012-04-191-1/+1
| | | | | Change-Id: I76269630ebabdf601c2fcb5f65a8dffbd6cdbc5e Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
* Change coreservices -> iosIan Dean2012-04-191-3/+3
| | | | | | | | Replace "contains(QT_CONFIG, coreservices)" with "!ios" in config files. Replace "QT_NO_CORESERVICES" with "Q_OS_IOS" in source files. Change-Id: Id3b02316b245a24ce550e0b47596d18a4a409e4f Reviewed-by: Morten Johan Sørvig <morten.sorvig@nokia.com>
* Added iOS compatibility.Qt4iOS2012-04-131-3/+3
| | | | | | | Put MacOS-specific code into #ifdef blocks to enable compilation on iOS. Change-Id: I0bb3846f457d1b3a56d99fe182b1718bc8429117 Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
* Use windows API to update missing CA rootsShane Kearns2012-04-111-14/+224
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Windows ships with a minimal set of CA roots. When using windows API to verify a certificate, it will fetch the root certificate from windows update (assuming it is part of the Microsoft trust program). As we are using openssl, this does not happen transparently. If SSL errors occur which indicate a broken chain then attempt to fix it using the windows API before emitting sslErrors. If the system CA certs are not in use (a CA bundle has been set on the socket or as the global configuration), then this is skipped. This is so an application can continue to use its own cert bundle rather than trusting the system certs. Key usage is specified, so that windows will return not trusted status if the root is not suitable for SSL (server auth or client auth OID). Testability: - to test, must delete the CA cert(s) from the "third party root certification authorities" section of the cert store using mmc.exe. - If the workaround of installing the windows XP cert bundle was performed, then you also need to delete certs from the "trusted root certification authorities" section. This is dangerous, be careful not to delete the required certificates which are documented on MS website - Naturally, modifying these areas of the cert store requires elevated privilege. Task-number: QTBUG-24827 Change-Id: I5cfe71c8a10595731f6bbbbabaaefa3313496654 Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
* Use SSL_MODE_RELEASE_BUFFERS in QSslSocketMartin Petersson2012-03-091-0/+7
| | | | | | | | | | | | If SSL_MODE_RELEASE_BUFFERS is available we should tell OpenSSL to release memory early. http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html Task-number: QTBUG-14985 Change-Id: Ib6656ebb3c4d67ca868b317ee83ddbf0983953f9 Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Shane Kearns <shane.kearns@accenture.com> Reviewed-by: Markus Goetz <markus@woboq.com>
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-21 16:38:59 +0000