[PATCH] Schannel: Reject certificate not signed by a configured CA certificate
Not entirely clear why, but when building the certificate chain for a
peer the system certificate store is searched for root certificates.
General expectation is that after calling
`sslConfiguration.setCaCertificates()` the system certificates will
not be taken into consideration.
To work around this behavior, we do a manual check that the root of the
chain is part of the configured CA certificates.
Pick-to: 6.5 6.2 5.15
Change-Id: I03666a4d9b0eac39ae97e150b4743120611a11b3
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Gbp-Pq: Name cve-2023-34410-
ada2c57.diff
[PATCH] Ssl: Copy the on-demand cert loading bool from default config
Otherwise individual sockets will still load system certificates when
a chain doesn't match against the configured CA certificates.
That's not intended behavior, since specifically setting the CA
certificates means you don't want the system certificates to be used.
Follow-up to/amends
ada2c573c1a25f8d96577734968fe317ddfa292a
This is potentially a breaking change because now, if you ever add a
CA to the default config, it will disable loading system certificates
on demand for all sockets. And the only way to re-enable it is to
create a null-QSslConfiguration and set it as the new default.
Pick-to: 6.5 6.2 5.15
Change-Id: Ic3b2ab125c0cdd58ad654af1cb36173960ce2d1e
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Gbp-Pq: Name cve-2023-34410-
57ba626.diff
qt6-base (6.4.2+dfsg-18) unstable; urgency=medium
[ Helmut Grohne ]
* Fix FTCBFS: Do build sqlbrowser. (Closes: #
1042709)
* Move from deprecated QT_BUILD_TOOLS_WHEN_CROSSCOMPILING to
QT_FORCE_BUILD_TOOLS.
[ John Paul Adrian Glaubitz ]
* Add Add-SH-detection.patch in order to restore SH detection
(Closes: #
1043225).
[dgit import unpatched qt6-base 6.4.2+dfsg-18]
projects / qt6-base.git / log