[Development] OpenSSL certificate validation
Thiago Macieira
thiago.macieira at intel.com
Tue Aug 13 17:57:56 CEST 2013
On terça-feira, 13 de agosto de 2013 14:21:24, Florian Weimer wrote:
> On 08/13/2013 01:55 PM, Florian Weimer wrote:
> > network/ssl/qsslsocket_openssl.cpp contains these lines in
> >
> > QSslSocketBackendPrivate::initSslContext():
> > // Register a custom callback to get all verification errors.
> > X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback);
> >
> > This causes connection failures when a client certificate has been
> > configured which is not trusted according to the configured root
> > certificate set. That's because OpenSSL uses certificate verification
> > to complete the certificate chain. OpenSSL clears any error flags after
> > that, but it cannot undo the side effects of the registered callback. Qt
> > later sees the recorded validation failures, and the connection cannot
> > be established.
> >
> > Is this the expected behavior? Should these two lines be removed.
> > (There is different certificate checking using another callback further
> > down the file.)
>
> I neglected to mention: OpenSSL upstream confirmed that it's sufficient
> to set a callback using SSL_CTX_set_verify, which Qt already does
> further down in the same function. This callback isn't called for
> certificate chain construction.
It looks that function is used only to store the certificates and error IDs
during the verification process, not to implement it. We need to get a result
from OpenSSL whether the verification was successful or not, and if it was not
successful, the details why.
If there's a better API for it than a global callback that doesn't get a
context token passed, we're all ears :-)
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/development/attachments/20130813/2664fc9c/attachment.sig>
More information about the Development
mailing list