[Development] OpenSSL certificate validation
Florian Weimer
fweimer at redhat.com
Tue Aug 13 13:55:21 CEST 2013
network/ssl/qsslsocket_openssl.cpp contains these lines in
QSslSocketBackendPrivate::initSslContext():
// Register a custom callback to get all verification errors.
X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback);
This causes connection failures when a client certificate has been
configured which is not trusted according to the configured root
certificate set. That's because OpenSSL uses certificate verification
to complete the certificate chain. OpenSSL clears any error flags after
that, but it cannot undo the side effects of the registered callback.
Qt later sees the recorded validation failures, and the connection
cannot be established.
Is this the expected behavior? Should these two lines be removed.
(There is different certificate checking using another callback further
down the file.)
--
Florian Weimer / Red Hat Product Security Team
More information about the Development
mailing list