[Development] OpenSSL certificate validation

Florian Weimer fweimer at redhat.com
Tue Aug 13 14:21:24 CEST 2013

On 08/13/2013 01:55 PM, Florian Weimer wrote:
> network/ssl/qsslsocket_openssl.cpp contains these lines in
> QSslSocketBackendPrivate::initSslContext():
>      // Register a custom callback to get all verification errors.
>      X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback);
> This causes connection failures when a client certificate has been
> configured which is not trusted according to the configured root
> certificate set.  That's because OpenSSL uses certificate verification
> to complete the certificate chain.  OpenSSL clears any error flags after
> that, but it cannot undo the side effects of the registered callback. Qt
> later sees the recorded validation failures, and the connection cannot
> be established.
> Is this the expected behavior?  Should these two lines be removed.
> (There is different certificate checking using another callback further
> down the file.)

I neglected to mention: OpenSSL upstream confirmed that it's sufficient 
to set a callback using SSL_CTX_set_verify, which Qt already does 
further down in the same function.  This callback isn't called for 
certificate chain construction.

Florian Weimer / Red Hat Product Security Team

More information about the Development mailing list