projects / qt6-base.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7fcf85a) | patch
[PATCH] Schannel: Reject certificate not signed by a configured CA certificate
authorMårten Nordheim <marten.nordheim@qt.io>
Wed, 10 May 2023 14:43:41 +0000 (16:43 +0200)
committerPatrick Franz <deltaone@debian.org>
Sat, 13 Jan 2024 13:53:25 +0000 (14:53 +0100)
commit6d21a2fa8e2410f143fac271d593c46326e89a91
treeabb8c6c43964d79892d5dfa919c17a459b0d63e0tree | snapshot
parent7fcf85a3b4f1508bc8f8a52006f79b05f3ec541bcommit | diff
[PATCH] Schannel: Reject certificate not signed by a configured CA certificate

Not entirely clear why, but when building the certificate chain for a
peer the system certificate store is searched for root certificates.
General expectation is that after calling
`sslConfiguration.setCaCertificates()` the system certificates will
not be taken into consideration.

To work around this behavior, we do a manual check that the root of the
chain is part of the configured CA certificates.

Pick-to: 6.5 6.2 5.15
Change-Id: I03666a4d9b0eac39ae97e150b4743120611a11b3
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Gbp-Pq: Name cve-2023-34410-ada2c57.diff
src/plugins/tls/schannel/qtls_schannel.cpp diff | blob | history
tests/manual/network/ssl/client-auth/CMakeLists.txt [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/.gitignore [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/accepted-client.conf [new file with mode: 0644] blob
tests/manual/network/ssl/client-auth/certs/generate.sh [new file with mode: 0755] blob
tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp [new file with mode: 0644] blob
Unnamed repository; edit this file 'description' to name the repository.