projects / qt6-base.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 68c9210) | patch
[PATCH] Schannel: Reject certificate not signed by a configured CA certificate
authorMårten Nordheim <marten.nordheim@qt.io>
Wed, 10 May 2023 14:43:41 +0000 (16:43 +0200)
committerBenjamin Drung <bdrung@debian.org>
Thu, 29 Feb 2024 21:45:27 +0000 (21:45 +0000)
commit61c748d4985180184f4add932e8518699c035722
tree2ecb4273f56170acadadf999ebb53cbbdafa9ccbtree | snapshot
parent68c9210e56e4117de41461c0fb56b196387a20becommit | diff
[PATCH] Schannel: Reject certificate not signed by a configured CA certificate

Not entirely clear why, but when building the certificate chain for a
peer the system certificate store is searched for root certificates.
General expectation is that after calling
`sslConfiguration.setCaCertificates()` the system certificates will
not be taken into consideration.

To work around this behavior, we do a manual check that the root of the
chain is part of the configured CA certificates.

Pick-to: 6.5 6.2 5.15
Change-Id: I03666a4d9b0eac39ae97e150b4743120611a11b3
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Gbp-Pq: Name cve-2023-34410-ada2c57.diff
src/plugins/tls/schannel/qtls_schannel.cpp diff | blob | history
tests/manual/network/ssl/client-auth/CMakeLists.txt [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/.gitignore [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/accepted-client.conf [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/generate.sh [new file with mode: 0755] blob
tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp [new file with mode: 0644] blob
Unnamed repository; edit this file 'description' to name the repository.