[Development] OpenSSL certificate validation
Florian Weimer
fweimer at redhat.com
Tue Aug 13 14:21:24 CEST 2013
On 08/13/2013 01:55 PM, Florian Weimer wrote:
> network/ssl/qsslsocket_openssl.cpp contains these lines in
> QSslSocketBackendPrivate::initSslContext():
>
> // Register a custom callback to get all verification errors.
> X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback);
>
> This causes connection failures when a client certificate has been
> configured which is not trusted according to the configured root
> certificate set. That's because OpenSSL uses certificate verification
> to complete the certificate chain. OpenSSL clears any error flags after
> that, but it cannot undo the side effects of the registered callback. Qt
> later sees the recorded validation failures, and the connection cannot
> be established.
>
> Is this the expected behavior? Should these two lines be removed.
> (There is different certificate checking using another callback further
> down the file.)
I neglected to mention: OpenSSL upstream confirmed that it's sufficient
to set a callback using SSL_CTX_set_verify, which Qt already does
further down in the same function. This callback isn't called for
certificate chain construction.
--
Florian Weimer / Red Hat Product Security Team
More information about the Development
mailing list