projects / qt6-base.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a45e2e2) | patch
[PATCH] Schannel: Reject certificate not signed by a configured CA certificate
authorMårten Nordheim <marten.nordheim@qt.io>
Wed, 10 May 2023 14:43:41 +0000 (16:43 +0200)
committerRaspbian forward porter <root@raspbian.org>
Wed, 7 Feb 2024 11:12:42 +0000 (11:12 +0000)
commit5d24e6fb13a07d5d097a293c4190b1bd7bb01bb8
treef88774c5ffa5d4727669b4b4cdaf461e3ce4f3fftree | snapshot
parenta45e2e2f7966e1f3f654a55469bf7f2d86491669commit | diff
[PATCH] Schannel: Reject certificate not signed by a configured CA certificate

Not entirely clear why, but when building the certificate chain for a
peer the system certificate store is searched for root certificates.
General expectation is that after calling
`sslConfiguration.setCaCertificates()` the system certificates will
not be taken into consideration.

To work around this behavior, we do a manual check that the root of the
chain is part of the configured CA certificates.

Pick-to: 6.5 6.2 5.15
Change-Id: I03666a4d9b0eac39ae97e150b4743120611a11b3
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Gbp-Pq: Name cve-2023-34410-ada2c57.diff
src/plugins/tls/schannel/qtls_schannel.cpp diff | blob | history
tests/manual/network/ssl/client-auth/CMakeLists.txt [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/.gitignore [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/accepted-client.conf [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/generate.sh [new file with mode: 0755] blob
tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp [new file with mode: 0644] blob
Unnamed repository; edit this file 'description' to name the repository.