On terça-feira, 13 de agosto de 2013 14:21:24, Florian Weimer wrote: > On 08/13/2013 01:55 PM, Florian Weimer wrote: > > network/ssl/qsslsocket_openssl.cpp contains these lines in > > > > QSslSocketBackendPrivate::initSslContext(): > > // Register a custom callback to get all verification errors. > > X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback); > > > > This causes connection failures when a client certificate has been > > configured which is not trusted according to the configured root > > certificate set. That's because OpenSSL uses certificate verification > > to complete the certificate chain. OpenSSL clears any error flags after > > that, but it cannot undo the side effects of the registered callback. Qt > > later sees the recorded validation failures, and the connection cannot > > be established. > > > > Is this the expected behavior? Should these two lines be removed. > > (There is different certificate checking using another callback further > > down the file.) > > I neglected to mention: OpenSSL upstream confirmed that it's sufficient > to set a callback using SSL_CTX_set_verify, which Qt already does > further down in the same function. This callback isn't called for > certificate chain construction.
It looks that function is used only to store the certificates and error IDs during the verification process, not to implement it. We need to get a result from OpenSSL whether the verification was successful or not, and if it was not successful, the details why. If there's a better API for it than a global callback that doesn't get a context token passed, we're all ears :-) -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
