From c5bde010eabb79b10cea630d366d94ff5981fa57 Mon Sep 17 00:00:00 2001 From: Timur Pocheptsov Date: Wed, 15 Aug 2018 09:38:58 +0200 Subject: DTLS: load roots from system stores only if allowed Respect allowRootCertOnDemandLoading, as it's done in QSslSocket (well, almost as in QSslSocket). Change-Id: Ic6cbb24a91e92cdb20f5f749553f15a62aae8b02 Reviewed-by: Edward Welbourne --- src/network/ssl/qdtls.cpp | 1 + src/network/ssl/qdtls_openssl.cpp | 4 +--- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/src/network/ssl/qdtls.cpp b/src/network/ssl/qdtls.cpp index e9c462cd80..da37951de2 100644 --- a/src/network/ssl/qdtls.cpp +++ b/src/network/ssl/qdtls.cpp @@ -369,6 +369,7 @@ void QDtlsBasePrivate::setConfiguration(const QSslConfiguration &configuration) dtlsConfiguration.nextNegotiatedProtocol = configuration.nextNegotiatedProtocol(); dtlsConfiguration.nextProtocolNegotiationStatus = configuration.nextProtocolNegotiationStatus(); dtlsConfiguration.dtlsCookieEnabled = configuration.dtlsCookieVerificationEnabled(); + dtlsConfiguration.allowRootCertOnDemandLoading = configuration.d->allowRootCertOnDemandLoading; clearDtlsError(); } diff --git a/src/network/ssl/qdtls_openssl.cpp b/src/network/ssl/qdtls_openssl.cpp index 1f4b5a0419..8be53df24f 100644 --- a/src/network/ssl/qdtls_openssl.cpp +++ b/src/network/ssl/qdtls_openssl.cpp @@ -732,11 +732,9 @@ bool DtlsState::initCtxAndConnection(QDtlsBasePrivate *dtlsBase) configurationCopy->ref.store(0); // the QSslConfiguration constructor refs up // DTLSTODO: check we do not set something DTLS-incompatible there ... - // 'true' - means load root certs on-demand loading - double check how this - // expected to be done (QSslSocket). TlsContext newContext(QSslContext::sharedFromConfiguration(dtlsBase->mode, configurationCopy, - true)); + dtlsBase->dtlsConfiguration.allowRootCertOnDemandLoading)); if (newContext->error() != QSslError::NoError) { dtlsBase->setDtlsError(QDtlsError::TlsInitializationError, newContext->errorString()); -- cgit v1.2.3