From a6e0e7909bc6eaaf2d1fd1dc17cab85d90dcdc61 Mon Sep 17 00:00:00 2001 From: Peter Hartmann Date: Mon, 5 Sep 2011 12:53:49 +0200 Subject: QSslCertificate: block all DigiNotar (intermediate and root) certs and do not only check leaf certificates, but all intermediates and the root. Tested manually with the cross-signed intermediates. Change-Id: I860dc9b568bc244abc9228486dbb374a1a2b47c4 Reviewed-by: Richard J. Moore (cherry picked from commit 64adbd0c5775f97343afbe0e7b5fde0d70bdaedd) Reviewed-on: http://codereview.qt.nokia.com/4291 Reviewed-by: Peter Hartmann --- src/network/ssl/qsslsocket_openssl.cpp | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'src/network/ssl/qsslsocket_openssl.cpp') diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 0ff17910f3..14a3899bfd 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1270,12 +1270,15 @@ bool QSslSocketBackendPrivate::startHandshake() // Start translating errors. QList errors; - if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) { - QSslError error(QSslError::CertificateBlacklisted, configuration.peerCertificate); - errors << error; - emit q->peerVerifyError(error); - if (q->state() != QAbstractSocket::ConnectedState) - return false; + // check the whole chain for blacklisting (including root, as we check for subjectInfo and issuer) + foreach (const QSslCertificate &cert, configuration.peerCertificateChain) { + if (QSslCertificatePrivate::isBlacklisted(cert)) { + QSslError error(QSslError::CertificateBlacklisted, cert); + errors << error; + emit q->peerVerifyError(error); + if (q->state() != QAbstractSocket::ConnectedState) + return false; + } } bool doVerifyPeer = configuration.peerVerifyMode == QSslSocket::VerifyPeer -- cgit v1.2.3