[Development] OpenSSL certificate validation

Thiago Macieira thiago.macieira at intel.com
Tue Aug 13 17:57:56 CEST 2013

On terça-feira, 13 de agosto de 2013 14:21:24, Florian Weimer wrote:
> On 08/13/2013 01:55 PM, Florian Weimer wrote:
> > network/ssl/qsslsocket_openssl.cpp contains these lines in
> > 
> > QSslSocketBackendPrivate::initSslContext():
> >      // Register a custom callback to get all verification errors.
> >      X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback);
> > 
> > This causes connection failures when a client certificate has been
> > configured which is not trusted according to the configured root
> > certificate set.  That's because OpenSSL uses certificate verification
> > to complete the certificate chain.  OpenSSL clears any error flags after
> > that, but it cannot undo the side effects of the registered callback. Qt
> > later sees the recorded validation failures, and the connection cannot
> > be established.
> > 
> > Is this the expected behavior?  Should these two lines be removed.
> > (There is different certificate checking using another callback further
> > down the file.)
> I neglected to mention: OpenSSL upstream confirmed that it's sufficient
> to set a callback using SSL_CTX_set_verify, which Qt already does
> further down in the same function.  This callback isn't called for
> certificate chain construction.

It looks that function is used only to store the certificates and error IDs 
during the verification process, not to implement it. We need to get a result 
from OpenSSL whether the verification was successful or not, and if it was not 
successful, the details why.

If there's a better API for it than a global callback that doesn't get a 
context token passed, we're all ears :-)

Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/development/attachments/20130813/2664fc9c/attachment.sig>

More information about the Development mailing list