Commit Graph

131 Commits (7565b4ec9565cb8e52c113c693a0865da86eaeed)

Author SHA1 Message Date
Marc Mutz 7565b4ec95 QSslSocket: remove unused variable in q_X509Callback()
It's been unused ever since it was added in
bba86a01c9.

Change-Id: I6d5bc27a0744d37f873245c92a4e6ba8fc90c062
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
2016-04-26 16:48:10 +00:00
Antonio Larrosa 063ad1c8b6 Don't include by default ciphers that are not supported
There could be cases (mostly when compiled on old systems, since modern
openssl versions don't include such insecure ciphers) in which
defaultCiphers included a cipher that wasn't in the supported ciphers
list. With this patch we make sure that defaultCiphers is a subset of
supportedCiphers

Change-Id: I545ea21f5fd3a6ed13b366cdd56a1393233f9fc9
Reviewed-by: Richard J. Moore <rich@kde.org>
2016-03-14 00:00:43 +00:00
Richard J. Moore 5fe0e41e79 Do not send the trailing dot of a hostname as part of the SNI
The SNI extension must not include the trailing dot, even though this
is legitimate for the host header.

Task-number: QTBUG-51821
Change-Id: Ib7a7d8b1f8f98bc99ae745b03d2b97e507adefaf
Reviewed-by: Daniel Molkentin (ownCloud) <danimo@owncloud.com>
2016-03-13 00:05:38 +00:00
Marc Mutz 474bee61e4 QtNetwork: convert some QDateTime::currentDateTime() to currentDateTimeUtc()
The latter is much faster as it doesn't have to deal with
time zones.

This change is safe, because the QDateTimes are only used for
comparison with other QDateTimes, which, from a quick glance around,
seem to be mostly, if not exclusively, in UTC. Comparsions work
across time zones, but the comparison between UTC date-times is
fastest.

Credits to Milian Wolff, from whose QtWS15 talk this advice is
taken.

Change-Id: I6859d886d8dc8e0a52fbe394fbb7b93a87b4739a
Reviewed-by: Milian Wolff <milian.wolff@kdab.com>
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@theqtcompany.com>
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
2015-10-27 18:27:59 +00:00
Friedemann Kleint bba86a01c9 Libraries: Fix single-character string literals.
Use character literals where applicable.

Change-Id: I8e198774c2247c1cc1d852a41b59b301199b7878
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
2015-10-13 16:37:37 +00:00
Kai Koehne a8bc96e9e5 QAbstractSocket: Consolidate error reporting
Introduce the methods setError(), setErrorAndEmit() to consistently
set the internal error state.

Change-Id: I4ff951d100cf5e9f9a7e27135bb52188cde99853
Reviewed-by: Alex Trotsenko <alex1973tr@gmail.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2015-09-14 09:38:24 +00:00
Liang Qi afab1546a7 Merge remote-tracking branch 'origin/5.5' into 5.6
Conflicts:
	qmake/doc/snippets/code/doc_src_qmake-manual.pro
	qmake/doc/src/qmake-manual.qdoc
	src/corelib/io/qstorageinfo_unix.cpp
	src/corelib/tools/qbytearray.cpp
	src/widgets/kernel/qwidgetwindow.cpp
	tests/auto/corelib/io/qprocess/tst_qprocess.cpp
	tests/auto/corelib/mimetypes/qmimedatabase/tst_qmimedatabase.cpp
	tests/auto/network/access/qnetworkreply/BLACKLIST

Change-Id: I9efcd7e1cce1c394eed425c43aa6fce7d2edf31c
2015-08-26 20:06:57 +02:00
Oswald Buddenhagen a47cd2cc82 Merge "Merge remote-tracking branch 'origin/5.4' into 5.5" into refs/staging/5.5 2015-08-12 09:53:52 +00:00
Frederik Gladhorn 77da617dc8 Merge remote-tracking branch 'origin/5.5' into dev
Conflicts:
	doc/global/qt-cpp-defines.qdocconf
	src/3rdparty/forkfd/forkfd.c
	src/corelib/codecs/qtextcodec.cpp
	src/corelib/kernel/qmetatype.cpp
	src/corelib/tools/qset.qdoc
	src/gui/accessible/qaccessible.cpp
	src/gui/image/qpixmapcache.cpp
	src/opengl/qgl.cpp
	src/tools/qdoc/generator.cpp
	src/widgets/kernel/qwidget.cpp
	tests/auto/widgets/widgets/qcombobox/tst_qcombobox.cpp

Change-Id: I4fbe1fa756a54c6843aa75f4ef70a1069ba7b085
2015-08-06 10:54:01 +02:00
André Klitzing 0d3c8feeeb Fix SNI for TlsV1_0OrLater, TlsV1_1OrLater and TlsV1_2OrLater
Since SslV3, SslV2 and UnknownProtocol do not support it we can
invert the IF clause here.

Change-Id: I42e942337d01f3a8c97885b268bffa568e40d335
Task-number: QTBUG-47528
Reviewed-by: Mikkel Krautz <mikkel@krautz.dk>
Reviewed-by: Richard J. Moore <rich@kde.org>
2015-07-30 19:50:59 +00:00
Oswald Buddenhagen 68316e6584 Merge remote-tracking branch 'origin/5.4' into 5.5
Conflicts:
	doc/global/manifest-meta.qdocconf
	src/corelib/global/qnamespace.qdoc
	src/corelib/io/qstorageinfo_unix.cpp
	src/corelib/tools/qtools_p.h
	src/sql/drivers/psql/qsql_psql.cpp

Change-Id: I23a15ac84e03ad61d865e3df872b013eb0752949
2015-07-17 17:53:19 +02:00
Markus Goetz eae0cb09f1 Network: Fix up previous corruption patch
This is a fix-up for cff39fba10.
That patch lead to some internal state issues that lead to the QTBUG-47048
or to QNetworkReply objects erroring with "Connection Closed" when
the server closed the Keep-Alive connection.

This patch changes the QNAM socket slot connections to be DirectConnection.
We don't close the socket anymore in slots where it is anyway in a closed state
afterwards. This prevents event/stack recursions.
We also flush QSslSocket/QTcpSocket receive buffers when receiving a disconnect
so that the developer always gets the full decrypted data from the buffers.

[ChangeLog][QtNetwork] Fix HTTP issues with "Unknown Error" and "Connection Closed"
[ChangeLog][QtNetwork][Sockets] Read OS/encrypted read buffers when connection
closed by server.

Change-Id: Ib4d6a2d0d988317e3a5356f36e8dbcee4590beed
Task-number: QTBUG-47048
Reviewed-by: Kai Koehne <kai.koehne@theqtcompany.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
2015-07-08 10:02:27 +00:00
Liang Qi 0aa2d318b1 Merge remote-tracking branch 'origin/5.5' into dev
Conflicts:
	src/corelib/global/qglobal.cpp
	src/corelib/global/qglobal.h
	src/corelib/global/qsysinfo.h
	src/corelib/global/qsystemdetection.h
	src/corelib/kernel/qobjectdefs.h
	src/plugins/plugins.pro
	tests/auto/widgets/itemviews/qlistview/qlistview.pro

Change-Id: Ib55aa79d707c4c1453fb9d697f6cf92211ed665c
2015-07-01 11:05:26 +02:00
Sérgio Martins 20147fae60 Use QVector::reserve() all over the place.
Reduces internal memory fragmentation.

The search criteria was:
QVector::append(), QVector::push_back(), QVector::operator<<()
and QVector::operator+=() calls inside for, do and while loops.
Statements inside ifs and out of loops weren't considered.

Change-Id: Ie5aaf3cdfac938994e6e5dfa5f51de501ed79a0c
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
2015-06-29 19:31:59 +00:00
Sérgio Martins b3fc0443a0 network: Use QList::reserve(), reduces reallocations.
Change-Id: Ie0e8cbd28802826206d7e92584b5d56bb844fb09
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
2015-06-27 11:48:40 +00:00
Giuseppe D'Angelo 92cda94742 QSslSocket: move default cipher, EC and default CA APIs to QSslConfiguration
QSslConfiguration is better suited for these APIs. The ones
in QSslSocket that already have a counterpart have been deprecated.

[ChangeLog][QtNetwork][SSL/TLS Support] Most of the QSslSocket
functions to deal with ciphersuites, certification authorities
as well as elliptic curves have been deprecated in favor of the
corresponding counterparts in QSslConfiguration.

Task-number: QTBUG-46558
Change-Id: I1de03379efcbcab931c20e876e252769fe4279e0
Reviewed-by: Liang Qi <liang.qi@theqtcompany.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Jani Heikkinen <jani.heikkinen@theqtcompany.com>
2015-06-11 04:18:37 +00:00
Simon Hausmann e2f66f9215 Merge remote-tracking branch 'origin/5.5' into dev
Conflicts:
	src/corelib/global/qnamespace.qdoc
	src/corelib/io/qwindowspipereader.cpp
	src/corelib/io/qwindowspipereader_p.h
	src/corelib/statemachine/qstatemachine.cpp
	src/corelib/statemachine/qstatemachine_p.h
	src/plugins/platforms/xcb/qxcbconnection.h
	tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp
	tests/auto/tools/qmake/tst_qmake.cpp
	tests/manual/touch/main.cpp

Change-Id: I917d694890e79ee3da7d65134b5b085e23e0dd62
2015-06-03 10:23:56 +02:00
Liang Qi fcfd31c9fd Merge remote-tracking branch 'origin/5.4' into 5.5
Conflicts:
	qmake/generators/mac/pbuilder_pbx.cpp
	src/corelib/global/qglobal.h

Change-Id: I2c0f7544bf194f2d0f59218fd583c822901487b0
2015-06-01 17:46:58 +02:00
Richard J. Moore 21ec751cdc Remove unsafe random seeding fallback path.
OpenSSL should automatically seed the random number generator, and the
current fallback code does not offer strong guarantees. It should
never actually be used, so let's remove it entirely.

Change-Id: I9a0a70345fe8df5913871bcac644623b687aea01
Reviewed-by: Peter Hartmann <peter-qt@hartmann.tk>
2015-05-29 21:34:29 +00:00
Richard J. Moore 7a4f3645f4 Avoid false positives from google by storing OpenSSL version as Unicode.
Google scan play store apps for the openssl version string which leads
to false positives since we record the version we were compiled against
even though we don't link it directly.

Task-number: QTBUG-46265
Change-Id: Iefd0e0954149c17350d49f57f9f374938124d7b8
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
2015-05-25 11:25:07 +00:00
Richard J. Moore 479e84dcbd Fix exclusion of anonymous ciphers.
Qt attempted to exclude anonymous ciphers since they offer no MITM
protection, but missed export ADH ciphers and AECDH from the exclude
list.

Change-Id: Icdfa9b31643a0e9927010885c7c1d02c42460d79
Reviewed-by: Peter Hartmann <peter-qt@hartmann.tk>
2015-04-25 12:11:05 +00:00
Richard J. Moore 00f0a4119c Add the ability to prefer the cipher preferences specified by the server.
Currently the cipher preferred by the client will always be used for SSL
connections. This change makes it so that by default the ciphers
specified by the server will be used (like the Apache SSLHonorCipherOrder
option). This behavior can be disabled using a new SslOption.

[ChangeLog][QtNetwork][QSslSocket] QSslSocket will now default to using
the cipher preferences of the server socket when used as an SSL server.
This can be disabled using the QSslConfiguration.

Change-Id: I2d16d10145cf88a7412f30ef960d87024777de1c
Reviewed-by: Peter Hartmann <peter-qt@hartmann.tk>
2015-04-25 12:10:50 +00:00
Liang Qi 605617b5dc Merge remote-tracking branch 'origin/5.4' into 5.5
Change-Id: I004854a25ebbf12b1fda88900162fe7878716c58
2015-04-15 09:09:24 +02:00
Daniel Molkentin c1a67e7dc3 Windows: Do not crash if SSL context is gone after root cert lookup
On Windows, we perform an extra certificate lookup for root CAs that
are not in Windows' (minimal) root store. This check can take up to
15 seconds. The SSL context can already be gone once we return. Hence
we now check for a non-null SSL context on Windows before proceeding.

Change-Id: I1951569d9b17da33fa604f7c9d8b33255acf200d
Reviewed-by: Richard J. Moore <rich@kde.org>
2015-04-01 07:33:20 +00:00
Thiago Macieira e5e1e056e8 Silence MSVC warning about 64-bit conversion (loss of data)
One of the reasons why we use "int" everywhere: to avoid this annoyance
about different types and having to explicitly cast to silence the
compiler.

qsslsocket_openssl.cpp(690) : warning C4267: 'argument' : conversion from 'size_t' to 'int', possible loss of data

Change-Id: Ia0aac2f09e9245339951ffff13c8bdad334ce108
Reviewed-by: Richard J. Moore <rich@kde.org>
2015-03-12 02:47:47 +00:00
Mikkel Krautz bf3246fdff QSsl: add TlsV1_0OrLater, TlsV1_1OrLater, TlsV1_2OrLater
Change-Id: I90b99fb515dcf559824f673d2304081238541c4c
Reviewed-by: Richard J. Moore <rich@kde.org>
2015-02-13 16:48:43 +00:00
Jani Heikkinen 83a5694dc2 Update copyright headers
Qt copyrights are now in The Qt Company, so we could update the source
code headers accordingly. In the same go we should also fix the links to
point to qt.io.

Outdated header.LGPL removed (use header.LGPL21 instead)

Old header.LGPL3 renamed to header.LGPL3-COMM to match actual licensing
combination. New header.LGPL-COMM taken in the use file which were
using old header.LGPL3 (src/plugins/platforms/android/extract.cpp)

Added new header.LGPL3 containing Commercial + LGPLv3 + GPLv2 license
combination

Change-Id: I6f49b819a8a20cc4f88b794a8f6726d975e8ffbe
Reviewed-by: Matti Paaso <matti.paaso@theqtcompany.com>
2015-02-11 06:49:51 +00:00
Frederik Gladhorn fc35f71434 Merge remote-tracking branch 'origin/5.4' into dev
Conflicts:
	src/3rdparty/harfbuzz-ng/harfbuzz-ng.pro
	src/gui/image/qimage_conversions.cpp
	src/gui/opengl/qopenglextensions_p.h
	src/gui/text/qtextengine.cpp
	src/network/ssl/qsslsocket_openssl.cpp
	src/plugins/platforms/eglfs/qeglfshooks_stub.cpp
	src/plugins/platforms/eglfs/qeglfsscreen.cpp
	src/plugins/platforms/eglfs/qeglfswindow.cpp
	src/plugins/platforms/windows/qwindowsfontdatabase.cpp
	src/plugins/platforms/windows/qwindowsfontdatabase_ft.cpp
	src/plugins/platforms/windows/qwindowsnativeinterface.cpp
	src/plugins/platforms/windows/qwindowsscreen.cpp
	src/plugins/platforms/windows/qwindowswindow.cpp
	src/plugins/platforms/windows/qwindowswindow.h
	src/plugins/platforms/xcb/qxcbdrag.h
	src/widgets/itemviews/qabstractitemview.cpp
	src/widgets/kernel/qwidget.cpp
	src/widgets/util/qsystemtrayicon_p.h
	tests/auto/corelib/itemmodels/qsortfilterproxymodel/tst_qsortfilterproxymodel.cpp

Thanks to Friedemann Kleint for resolving the qwindowsfontdatabase.cpp
conflicts.

Change-Id: I937232c30523d5121c195d947d92aec6f129b03e
2015-02-10 09:42:25 +01:00
Richard J. Moore 31e85dc2a1 Remove unnecessary direct access to SSL_CIPHER struct.
The cipher is always valid here, so this check was never needed anyway.

Change-Id: I22be273d166702926b98f0c9443657a1dde65f6e
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
2015-02-08 20:47:52 +00:00
Richard J. Moore 9f59341d07 Remove legacy ifdefs for ancient openssl.
There were still ifdefs for openssl 0.9.7 and openssl 0.9.8f.

[ChangeLog][QtNetwork] Some legacy ifdefs for openssl 0.9.7 and openssl 0.9.8f
were removed, Qt will no longer build with these versions. In addition there
is no support for openssl built with NO_TLSEXT.

Change-Id: I9268515c0a125a2f6d79add8ee1cb40768e7e898
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
2015-02-08 20:47:39 +00:00
Jeremy Lainé cbec1ed1a1 ssl: fix QSslSocket::peerCertificateChain in server mode
The OpenSSL backend for QSslSocket return an incomplete peer certificate
chain when in server mode: it does not include the peer's certificate as
the first element of the chain.

This change fixes this issue.

Change-Id: I2f0815bca2f314a075b48a2d0b5a6d5b7af50722
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
2015-02-07 06:50:51 +00:00
Peter Hartmann 3c24dddaf9 SSL NPN negotiation: Do not abort on unmatched protocols
... but choose HTTP/1.1 and continue connecting anyhow. According to
the NPN spec, actually we should choose SPDY:

"In the event that the client doesn't support any of server's protocols,
or the server doesn't advertise any, it SHOULD select the first protocol
that it supports."

However, some tested servers did not advertise anything and did not
support SPDY, so blindly trying the newest protocol would fail. We are
conservative in that case and choose HTTP.

Task-number: QTBUG-40714
Change-Id: Ia8aaf01fea74e13d9e4416306f85f1890b25559e
Reviewed-by: Richard J. Moore <rich@kde.org>
2015-02-05 14:07:19 +00:00
Konstantin Ritt 131b3cffc8 [QSSL] Pass params of shareable type by const-ref rather than by value
Change-Id: I9c09a3e2dfb90eb22d4509ac6c450a0bb5da48f6
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
2015-01-28 17:05:44 +00:00
Giuseppe D'Angelo bd26defd9b QSslSocket: introduce support for TLS PSK (client side)
[ChangeLog][QtNetwork][QSslSocket] It is now possible to use TLS PSK
ciphersuites in client sockets.

Task-number: QTBUG-39077
Change-Id: I5523a2be33d46230c6f4106c322fab8a5afa37b4
Reviewed-by: Richard J. Moore <rich@kde.org>
2015-01-23 00:35:21 +01:00
Simon Hausmann e281537f20 Merge remote-tracking branch 'origin/5.4' into dev
Conflicts:
	src/corelib/global/qglobal.h
	src/platformsupport/platformcompositor/qopenglcompositor.cpp
	src/platformsupport/platformcompositor/qopenglcompositorbackingstore.cpp
	tests/auto/gui/kernel/qwindow/tst_qwindow.cpp

Change-Id: I5422868500be695584a496dbbbc719d146bc572d
2014-12-18 12:12:58 +01:00
Kai Koehne f17d7a124f Use categorized logging for ssl code
Place all debug output into the 'qt.network.ssl' category.
This allows people to disable certain warnings at runtime.

Task-number: QTBUG-43173
Change-Id: Ide731fae3109f9cd7730cc096ee069a5b99d35f1
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-12-10 11:07:46 +01:00
Simon Hausmann 015002fec9 Merge remote-tracking branch 'origin/5.4' into dev
Conflicts:
	doc/global/template/style/online.css
	mkspecs/android-g++/qmake.conf

Change-Id: Ib39ea7bd42f5ae12e82a3bc59a66787a16bdfc61
2014-12-10 07:58:06 +01:00
Giuseppe D'Angelo ffbfd8eda6 SSL: Add support for selecting which curves should be used by an elliptic cipher
[ChangeLog][QtNetwork][QtSSL] It is now possible to choose which elliptic
curves should be used by an elliptic curve cipher.

Change-Id: If5d0d58922768b6f1375836489180e576f5a015a
Done-with: Marc Mutz <marc.mutz@kdab.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-11-26 22:07:56 +01:00
Alejandro Exojo f88ab80c8a Use camel case in PKCS#12 function
This makes it follow the coding style, which says to camel case acronyms too,
and makes it consistent with the rest of the class.

Change-Id: I4a1b21de1815530e476fc5aa8a0d41c724fc8021
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: hjk <hjk121@nokiamail.com>
2014-11-24 08:50:05 +01:00
Allan Sandfeld Jensen 3fd2d9eff8 Update QSsl::SecureProtocols to not include Sslv3
After the poodle vulnerability SSLv3 should like SSLv2 no longer be
considered safe, so when a user request a safe protocol we should
only allow TLS versions.

[ChangeLog][QtNetwork][QSsl] QSsl::SecureProtocols now also excludes SSLv3

Change-Id: If825f6beb599294b028d706903b39db6b20be519
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-10-24 12:46:26 +02:00
Matti Paaso 974c210835 Update license headers and add new license files
- Renamed LICENSE.LGPL to LICENSE.LGPLv21
- Added LICENSE.LGPLv3
- Removed LICENSE.GPL

Change-Id: Iec3406e3eb3f133be549092015cefe33d259a3f2
Reviewed-by: Iikka Eklund <iikka.eklund@digia.com>
2014-09-24 12:26:19 +02:00
Andrew Knight ecbf6dfbf5 ssl: Share the host name matching utilities
This moves the socket backend's host name matching functions up to
QSslSocketPrivate so that they can be shared between backends. This
works, as there is no OpenSSL-specific code here.

Change-Id: I73c2081fdc2e60a44c90e90800d1e1877391a626
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-08-27 15:03:58 +02:00
Simon Hausmann 508b95899d Merge remote-tracking branch 'origin/stable' into dev
Change-Id: Ia36e93771066d8abcf8123dbe2362c5c9d9260fc
2014-05-22 07:46:17 +02:00
Richard J. Moore 802e50c86b Avoid accessing the internals of the SSL_CIPHER struct.
Avoid accessing the internals of the SSL_CIPHER struct since this has
changed size etc. over time leading to binary incompatibilities.

Task-number: QTBUG-32423
Task-number: QTBUG-23363
Change-Id: I8cb399484e3a62be7d511f4b8b22c876825c87d4
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
2014-05-19 15:52:58 +02:00
Frederik Gladhorn 3d4aeb7919 Merge remote-tracking branch 'origin/stable' into dev
Conflicts:
	src/gui/kernel/qguiapplication.cpp

Change-Id: Ibe75603dc8a51769db6550ea3f07bc8d19b0be85
2014-05-13 22:19:10 +02:00
Frederik Gladhorn 73bc91c9df Merge remote-tracking branch 'origin/release' into stable
Change-Id: I9300572e2b74f0564b2589cbd0fbdf24850f68df
2014-05-12 14:01:46 +02:00
Richard J. Moore 50e8e95385 Add support for loading PKCS#12 bundles.
Add support for loading certificates and keys from PKCS#12 bundles
(also known as pfx files).

Task-number: QTBUG-1565

[ChangeLog][QtNetwork][QSslSocket] Support for loading PKCS#12
bundles was added. These are often used to transport keys and
certificates conveniently, particularly when making use of
client certificates.

Change-Id: Idaeb2cb4dac4b19881a5c99c7c0a7eea00c2b207
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
2014-05-11 23:50:03 +02:00
Daniel Molkentin 0065b55da4 Ignore expired certificate during certificate validation
OpenSSL has a bug when validating a chain with two certificates.
If a certificate exists twice (which is a valid use case for renewed
CAs), and the first one it hits is expired (which depends on the order
on data structure internal to OpenSSL), it will fail to validate the
chain.

This is only a bandaid fix, which trades improved chain validation
for error reporting accuracy. However given that reissuing of CA certs
is a real problem that is only getting worse, this fix is needed.

See also: https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#WARNINGS

[ChangeLog][QtNetwork][QSslSocket] Added a workaround to an OpenSSL problem
that may cause errors when the trust store contains two certificates of the
issuing CA, one of which is expired.

Task-number: QTBUG-38896
Change-Id: I8f17972ac94555648098624e470fff0eff2e7940
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Frederik Gladhorn <frederik.gladhorn@digia.com>
2014-05-11 11:34:21 +02:00
Frederik Gladhorn 1326cd15f7 Merge remote-tracking branch 'origin/stable' into dev
Conflicts:
	mkspecs/qnx-x86-qcc/qplatformdefs.h
	src/corelib/global/qglobal.h
	src/opengl/gl2paintengineex/qpaintengineex_opengl2.cpp
	src/opengl/qgl.cpp
	src/opengl/qglpixelbuffer.cpp
	src/opengl/qglshaderprogram.cpp
	tests/auto/opengl/qglthreads/tst_qglthreads.cpp

Change-Id: Iaba137884d3526a139000ca26fee02bb27b5cdb5
2014-05-06 16:50:03 +02:00
Sérgio Martins ff9afeed51 Fix build against older OpenSSL.
The declaration of q_SSL_ctrl is ifdefed, so ifdef it's usage too.

Change-Id: I99a53af6f4f24ed991d39ab89f18e03b8f38c617
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-04-14 11:30:57 +02:00