Opened 8 years ago

Closed 7 years ago

#267 closed defect (fixed)

SSL verification fails

Reported by: rudi Owned by:
Priority: major Milestone: Qt 4.7.3 GA2
Component: QtNetwork Version: 4.7.3
Severity: medium Keywords:
Cc:

Description

We have a regression in the SSL handling in 4.7.3. When accessing

https://github.com/dmik/qt-creator-os2/

with the ARORA or QUPZILLA browsers, a complaint about not being able to verify the certificates is shown. The reason for that is, that starting with 4.7.3 QtNetwork? no longer contains "qt-ca-bundle.crt" as resource. Instead, it tries to retrieve the certificates from the OS. On Windows, Symbian and MacOS there are specific APIs for this task. On plain Unix certain directories (/etc/ssl/certs/, /usr/lib/ssl/certs/ ...) are searched. OS/2 completely lacks an implementation.

http://svn.netlabs.org/qt4/browser/trunk/src/network/ssl/qsslsocket_openssl.cpp#L746

Do we have a global file system location for storing SSL certificates on OS/2 eCS ? Generally the idea of not including these into the QtNetwork? DLL is a good as it removes the need of updating when a certificates get added or revoked ( see http://svn.netlabs.org/qt4/ticket/210 ). Any ideas ?

Attachments (2)

network.diff (1.2 KB) - added by rudi 8 years ago.
Re-add internal certificates, requires network.qrc and qt-ca-bundle.cer from 4.6.3
267.diff (1.6 KB) - added by diver 7 years ago.
for a rpm version the attached diff should do it.

Download all attachments as: .zip

Change History (11)

Changed 8 years ago by rudi

Re-add internal certificates, requires network.qrc and qt-ca-bundle.cer from 4.6.3

comment:1 Changed 8 years ago by diver

  • Milestone changed from Qt Enhanced to Qt 4.next

comment:2 Changed 8 years ago by dmik

Thanks for noticing!

For the RPM version of Qt, it's easy: we will have a separate .rpm with certs which the Qt .rpm will depend on. For the ZIP version, a note in the README with a link to a ZIP will be enough I think. I'll patch the code once I get back to Qt.

comment:3 Changed 7 years ago by diver

the openssl rpm now includes a cert part.

Changed 7 years ago by diver

for a rpm version the attached diff should do it.

comment:4 Changed 7 years ago by dmik

Yes, after fixing #292 in r1112 and installing the ca-certificates RPM package, your patch nicely fixes the problem.

However there is one more thing. While the directory you refer to as /@unixroot/etc/ssl/certs/ (which itself is perfectly correct) gets properly resolved to C:/etc/ssl/certs/ here, it isn't traversed - in fact, it is a "symlink" and somehow the Qt directory traversal code can't resolve symlinks. QDir::canonicalPath() also doesn't resolve it.

I'm going to check this QDir problem too.

comment:5 Changed 7 years ago by dmik

The QDir traversal problem is solved in r1114. In r1113, I fixed another symlink-related problem: QDir::canonicalPath() and QFileInfo::canonicalFilePath() now resolve symlinks (as they should according to the docs).

The original problem is solved in r1115, based on Silvan's patch with some corrections - e.g. I added searching in %ETC%/ssl/certs which is necessary for ZIP installations when no ca-certificates RPM package is involved (and therefore no /@unixroot/etc/ssl/certs/ directory is created). Now I need to update README.OS2 with this information.

Please check the code. I will hold the release for a moment, as there are too many changes in the core classes.

I also want to solve one more problem before the release once I am in this code: dealing with symlinked directories in QFileDialog. Currently, it allows to enter such a dir but it reports it as File in the UI and can't actually show its contents. Should be easy to fix.

comment:6 Changed 7 years ago by dmik

  • Milestone changed from Qt 4.next to Qt 4.7.3 GA2

comment:7 Changed 7 years ago by dmik

My local tests show it all works.

For the ZIP-based Qt distribution, I have created a ZIP file containing the certificates and the installation instruction, attaching it here. I will update the README and the Wiki once we release 4.7.3 GA2. Leave it open until then.

comment:9 Changed 7 years ago by dmik

  • Resolution set to fixed
  • Status changed from new to closed

No complains, closing.

Note: See TracTickets for help on using tickets.