projects / qt6-base.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 37e802b) | patch
[PATCH] Schannel: Reject certificate not signed by a configured CA certificate
authorMårten Nordheim <marten.nordheim@qt.io>
Wed, 10 May 2023 14:43:41 +0000 (16:43 +0200)
committerPatrick Franz <deltaone@debian.org>
Tue, 8 Aug 2023 06:40:37 +0000 (07:40 +0100)
commit34d366819b4d0450b5f7ab8f6cbf773a9fd0bb67
tree736a9297ec0e1714cb270f8934afe60fa0984805tree | snapshot
parent37e802b4dba912bc89efcbd7da91ac6134fad8b8commit | diff
[PATCH] Schannel: Reject certificate not signed by a configured CA certificate

Not entirely clear why, but when building the certificate chain for a
peer the system certificate store is searched for root certificates.
General expectation is that after calling
`sslConfiguration.setCaCertificates()` the system certificates will
not be taken into consideration.

To work around this behavior, we do a manual check that the root of the
chain is part of the configured CA certificates.

Pick-to: 6.5 6.2 5.15
Change-Id: I03666a4d9b0eac39ae97e150b4743120611a11b3
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Gbp-Pq: Name cve-2023-34410-ada2c57.diff
src/plugins/tls/schannel/qtls_schannel.cpp diff | blob | history
tests/manual/network/ssl/client-auth/CMakeLists.txt [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/.gitignore [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/accepted-client.conf [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/generate.sh [new file with mode: 0755] blob
tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp [new file with mode: 0644] blob
Unnamed repository; edit this file 'description' to name the repository.