From: Debian Qt/KDE Maintainers Date: Sun, 3 Mar 2024 09:03:16 +0000 (+0000) Subject: Ssl: Copy the on-demand cert loading bool from default config X-Git-Tag: archive/raspbian/5.15.13+dfsg-2+rpi1~1^2^2~23 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=7607180996528305132c89a3c9aad3a0b03bf4dd;p=qtbase-opensource-src.git Ssl: Copy the on-demand cert loading bool from default config Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=57ba6260c0801055 Last-Update: 2023-06-08 Otherwise individual sockets will still load system certificates when a chain doesn't match against the configured CA certificates. That's not intended behavior, since specifically setting the CA certificates means you don't want the system certificates to be used. This is potentially a breaking change because now, if you ever add a CA to the default config, it will disable loading system certificates on demand for all sockets. And the only way to re-enable it is to create a null-QSslConfiguration and set it as the new default. Gbp-Pq: Name CVE-2023-34410.diff --- diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp index 5bb6e7ee4..2a0b3a4f1 100644 --- a/src/network/ssl/qsslsocket.cpp +++ b/src/network/ssl/qsslsocket.cpp @@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate() , flushTriggered(false) { QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration); + // If the global configuration doesn't allow root certificates to be loaded + // on demand then we have to disable it for this socket as well. + if (!configuration.allowRootCertOnDemandLoading) + allowRootCertOnDemandLoading = false; } /*! @@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri ptr->sessionProtocol = global->sessionProtocol; ptr->ciphers = global->ciphers; ptr->caCertificates = global->caCertificates; + ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading; ptr->protocol = global->protocol; ptr->peerVerifyMode = global->peerVerifyMode; ptr->peerVerifyDepth = global->peerVerifyDepth;