1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ssl: Copy the on-demand cert loading bool from default config

Browse Source 
Otherwise individual sockets will still load system certificates when
a chain doesn't match against the configured CA certificates.
That's not intended behavior, since specifically setting the CA
certificates means you don't want the system certificates to be used.

Follow-up to/amends ada2c573c1a25f8d96577734968fe317ddfa292a

This is potentially a breaking change because now, if you ever add a
CA to the default config, it will disable loading system certificates
on demand for all sockets. And the only way to re-enable it is to
create a null-QSslConfiguration and set it as the new default.

Change-Id: Ic3b2ab125c0cdd58ad654af1cb36173960ce2d1e
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
(cherry picked from commit 57ba6260c0801055b7188fdaa1818b940590f5f1)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
This commit is contained in:
Mårten Nordheim 2023-05-25 14:40:29 +02:00 committed by Qt Cherry-pick Bot
parent 290db1881d
commit c53a3d9fb1
2 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/network/ssl/qsslsocket.cpp
View File

@ -2007,6 +2007,10 @@ QSslSocketPrivate::QSslSocketPrivate()
, flushTriggered(false) , flushTriggered(false)
{ {
QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration); QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
// If the global configuration doesn't allow root certificates to be loaded
// on demand then we have to disable it for this socket as well.
if (!configuration.allowRootCertOnDemandLoading)
allowRootCertOnDemandLoading = false;
const auto *tlsBackend = tlsBackendInUse(); const auto *tlsBackend = tlsBackendInUse();
if (!tlsBackend) { if (!tlsBackend) {
@ -2312,6 +2316,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
ptr->sessionProtocol = global->sessionProtocol; ptr->sessionProtocol = global->sessionProtocol;
ptr->ciphers = global->ciphers; ptr->ciphers = global->ciphers;
ptr->caCertificates = global->caCertificates; ptr->caCertificates = global->caCertificates;
ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
ptr->protocol = global->protocol; ptr->protocol = global->protocol;
ptr->peerVerifyMode = global->peerVerifyMode; ptr->peerVerifyMode = global->peerVerifyMode;
ptr->peerVerifyDepth = global->peerVerifyDepth; ptr->peerVerifyDepth = global->peerVerifyDepth;

20
tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp
View File

@ -16,6 +16,9 @@
// but the other side presents a certificate signed by a different CA. // but the other side presents a certificate signed by a different CA.
constexpr bool TestServerPresentsIncorrectCa = false; constexpr bool TestServerPresentsIncorrectCa = false;
constexpr bool TestClientPresentsIncorrectCa = true; constexpr bool TestClientPresentsIncorrectCa = true;
// Decides whether or not to put the root CA into the global ssl configuration
// or into the socket's specific ssl configuration.
constexpr bool UseGlobalConfiguration = true;
class ServerThread : public QThread class ServerThread : public QThread
{ {
@ -26,8 +29,10 @@ public:
QSslServer server; QSslServer server;
QSslConfiguration config = server.sslConfiguration(); QSslConfiguration config = server.sslConfiguration();
if (!UseGlobalConfiguration) {
QList<QSslCertificate> certs = QSslCertificate::fromPath(QStringLiteral(":/rootCA.pem")); QList<QSslCertificate> certs = QSslCertificate::fromPath(QStringLiteral(":/rootCA.pem"));
config.setCaCertificates(certs); config.setCaCertificates(certs);
}
config.setLocalCertificate(QSslCertificate::fromPath(QStringLiteral(":/127.0.0.1.pem")) config.setLocalCertificate(QSslCertificate::fromPath(QStringLiteral(":/127.0.0.1.pem"))
.first()); .first());
QFile keyFile(QStringLiteral(":/127.0.0.1-key.pem")); QFile keyFile(QStringLiteral(":/127.0.0.1-key.pem"));
@ -73,6 +78,12 @@ int main(int argc, char **argv)
if (!QFileInfo(u":/rootCA.pem"_s).exists()) if (!QFileInfo(u":/rootCA.pem"_s).exists())
qFatal("rootCA.pem not found. Did you run generate.sh in the certs directory?"); qFatal("rootCA.pem not found. Did you run generate.sh in the certs directory?");
if (UseGlobalConfiguration) {
QSslConfiguration config = QSslConfiguration::defaultConfiguration();
config.setCaCertificates(QSslCertificate::fromPath(u":/rootCA.pem"_s));
QSslConfiguration::setDefaultConfiguration(config);
}
ServerThread serverThread; ServerThread serverThread;
serverThread.start(); serverThread.start();
@ -88,12 +99,19 @@ int main(int argc, char **argv)
keyFileName = u":/accepted-client-key.pem"_s; keyFileName = u":/accepted-client-key.pem"_s;
} }
config.setLocalCertificate(QSslCertificate::fromPath(certificatePath).first()); config.setLocalCertificate(QSslCertificate::fromPath(certificatePath).first());
if (TestServerPresentsIncorrectCa) // true: Verify server using incorrect CA: should fail if (!UseGlobalConfiguration && TestServerPresentsIncorrectCa) {
// Verify server using incorrect CA: should fail
config.setCaCertificates(QSslCertificate::fromPath(u":/rootCA.pem"_s)); config.setCaCertificates(QSslCertificate::fromPath(u":/rootCA.pem"_s));
} else if (UseGlobalConfiguration && !TestServerPresentsIncorrectCa) {
// Verify server using correct CA, we need to explicitly set the
// system CAs when the global config is overridden.
config.setCaCertificates(QSslConfiguration::systemCaCertificates());
}
QFile keyFile(keyFileName); QFile keyFile(keyFileName);
if (!keyFile.open(QIODevice::ReadOnly)) if (!keyFile.open(QIODevice::ReadOnly))
qFatal("Failed to open key file"); qFatal("Failed to open key file");
config.setPrivateKey(QSslKey(&keyFile, QSsl::Rsa)); config.setPrivateKey(QSslKey(&keyFile, QSsl::Rsa));
socket.setSslConfiguration(config); socket.setSslConfiguration(config);
QObject::connect(&socket, &QSslSocket::encrypted, []() { qDebug() << "[c] encrypted"; }); QObject::connect(&socket, &QSslSocket::encrypted, []() { qDebug() << "[c] encrypted"; });