[Development] OpenSSL certificate validation

Florian Weimer fweimer at redhat.com
Tue Aug 13 13:55:21 CEST 2013

network/ssl/qsslsocket_openssl.cpp contains these lines in 

     // Register a custom callback to get all verification errors.
     X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback);

This causes connection failures when a client certificate has been 
configured which is not trusted according to the configured root 
certificate set.  That's because OpenSSL uses certificate verification 
to complete the certificate chain.  OpenSSL clears any error flags after 
that, but it cannot undo the side effects of the registered callback. 
Qt later sees the recorded validation failures, and the connection 
cannot be established.

Is this the expected behavior?  Should these two lines be removed. 
(There is different certificate checking using another callback further 
down the file.)

Florian Weimer / Red Hat Product Security Team

More information about the Development mailing list