From 4581cd5fb664676cadda855490b3f21c2ed28a58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Klitzing?= <aklitzing@gmail.com>
Date: Fri, 17 Jul 2020 15:47:33 +0200
Subject: Fix OCSP-Stapling error if identity cannot be verified

If QSslConfiguration::setCaCertificates is set to empty list openssl
cannot verify the OCSP-Response.
Qt will provide it as QSslError::OcspResponseCannotBeTrusted that can be
ignored. But the openssl error is still in the error queue and prevents
a successful reply in QNetworkReply::finished.

So let's clear the queue after OCSP checking to avoid side affects.

Change-Id: I44a7f45a2eebd20ea86a235a0534f80986c40a26
Fixes: QTBUG-85638
Pick-to: 5.15
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
---
 src/network/ssl/qsslsocket_openssl.cpp | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/network/ssl/qsslsocket_openssl.cpp')

diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 02ce1ed183..43fe94639f 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -84,6 +84,7 @@
 #include <QtCore/qurl.h>
 #include <QtCore/qvarlengtharray.h>
 #include <QtCore/qscopedvaluerollback.h>
+#include <QtCore/qscopeguard.h>
 #include <QtCore/qlibrary.h>
 #include <QtCore/qoperatingsystemversion.h>
 
@@ -1802,6 +1803,10 @@ bool QSslSocketBackendPrivate::checkOcspStatus()
     Q_ASSERT(mode == QSslSocket::SslClientMode); // See initSslContext() for SslServerMode
     Q_ASSERT(configuration.peerVerifyMode != QSslSocket::VerifyNone);
 
+    const auto clearErrorQueue = qScopeGuard([] {
+        logAndClearErrorQueue();
+    });
+
     ocspResponses.clear();
     ocspErrorDescription.clear();
     ocspErrors.clear();
-- 
cgit v1.2.3