projects / qt6-base.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a876829) | patch
[PATCH] Schannel: Reject certificate not signed by a configured CA certificate
authorMårten Nordheim <marten.nordheim@qt.io>
Wed, 10 May 2023 14:43:41 +0000 (16:43 +0200)
committerPatrick Franz <deltaone@debian.org>
Sat, 28 Oct 2023 09:26:45 +0000 (11:26 +0200)
commit3e047eb145fa8c4531be563d8923a4cd63abfd40
tree7d9021a35d27c2aa8a6b1d62b33611169e749552tree | snapshot
parenta87682999b53dafd60992538806064d89ab7ecc4commit | diff
[PATCH] Schannel: Reject certificate not signed by a configured CA certificate

Not entirely clear why, but when building the certificate chain for a
peer the system certificate store is searched for root certificates.
General expectation is that after calling
`sslConfiguration.setCaCertificates()` the system certificates will
not be taken into consideration.

To work around this behavior, we do a manual check that the root of the
chain is part of the configured CA certificates.

Pick-to: 6.5 6.2 5.15
Change-Id: I03666a4d9b0eac39ae97e150b4743120611a11b3
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Gbp-Pq: Name cve-2023-34410-ada2c57.diff
src/plugins/tls/schannel/qtls_schannel.cpp diff | blob | history
tests/manual/network/ssl/client-auth/CMakeLists.txt [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/.gitignore [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/accepted-client.conf [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/generate.sh [new file with mode: 0755] blob
tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp [new file with mode: 0644] blob
Unnamed repository; edit this file 'description' to name the repository.