diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp index 6ec00e17cb3..822ac941529 100644 --- a/src/network/ssl/qsslsocket.cpp +++ b/src/network/ssl/qsslsocket.cpp @@ -2007,6 +2007,10 @@ QSslSocketPrivate::QSslSocketPrivate() , flushTriggered(false) { QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration); + // If the global configuration doesn't allow root certificates to be loaded + // on demand then we have to disable it for this socket as well. + if (!configuration.allowRootCertOnDemandLoading) + allowRootCertOnDemandLoading = false; const auto *tlsBackend = tlsBackendInUse(); if (!tlsBackend) { @@ -2312,6 +2316,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri ptr->sessionProtocol = global->sessionProtocol; ptr->ciphers = global->ciphers; ptr->caCertificates = global->caCertificates; + ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading; ptr->protocol = global->protocol; ptr->peerVerifyMode = global->peerVerifyMode; ptr->peerVerifyDepth = global->peerVerifyDepth; diff --git a/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp b/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp index 2307cbb1911..4d4aaca7e34 100644 --- a/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp +++ b/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp @@ -16,6 +16,9 @@ // but the other side presents a certificate signed by a different CA. constexpr bool TestServerPresentsIncorrectCa = false; constexpr bool TestClientPresentsIncorrectCa = true; +// Decides whether or not to put the root CA into the global ssl configuration +// or into the socket's specific ssl configuration. +constexpr bool UseGlobalConfiguration = true; class ServerThread : public QThread { @@ -26,8 +29,10 @@ public: QSslServer server; QSslConfiguration config = server.sslConfiguration(); - QList certs = QSslCertificate::fromPath(QStringLiteral(":/rootCA.pem")); - config.setCaCertificates(certs); + if (!UseGlobalConfiguration) { + QList certs = QSslCertificate::fromPath(QStringLiteral(":/rootCA.pem")); + config.setCaCertificates(certs); + } config.setLocalCertificate(QSslCertificate::fromPath(QStringLiteral(":/127.0.0.1.pem")) .first()); QFile keyFile(QStringLiteral(":/127.0.0.1-key.pem")); @@ -73,6 +78,12 @@ int main(int argc, char **argv) if (!QFileInfo(u":/rootCA.pem"_s).exists()) qFatal("rootCA.pem not found. Did you run generate.sh in the certs directory?"); + if (UseGlobalConfiguration) { + QSslConfiguration config = QSslConfiguration::defaultConfiguration(); + config.setCaCertificates(QSslCertificate::fromPath(u":/rootCA.pem"_s)); + QSslConfiguration::setDefaultConfiguration(config); + } + ServerThread serverThread; serverThread.start(); @@ -88,12 +99,19 @@ int main(int argc, char **argv) keyFileName = u":/accepted-client-key.pem"_s; } config.setLocalCertificate(QSslCertificate::fromPath(certificatePath).first()); - if (TestServerPresentsIncorrectCa) // true: Verify server using incorrect CA: should fail + if (!UseGlobalConfiguration && TestServerPresentsIncorrectCa) { + // Verify server using incorrect CA: should fail config.setCaCertificates(QSslCertificate::fromPath(u":/rootCA.pem"_s)); + } else if (UseGlobalConfiguration && !TestServerPresentsIncorrectCa) { + // Verify server using correct CA, we need to explicitly set the + // system CAs when the global config is overridden. + config.setCaCertificates(QSslConfiguration::systemCaCertificates()); + } QFile keyFile(keyFileName); if (!keyFile.open(QIODevice::ReadOnly)) qFatal("Failed to open key file"); config.setPrivateKey(QSslKey(&keyFile, QSsl::Rsa)); + socket.setSslConfiguration(config); QObject::connect(&socket, &QSslSocket::encrypted, []() { qDebug() << "[c] encrypted"; });