Opened 13 years ago
Closed 12 years ago
#267 closed defect (fixed)
SSL verification fails
Reported by: | rudi | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | Qt 4.7.3 GA2 |
Component: | QtNetwork | Version: | 4.7.3 |
Severity: | medium | Keywords: | |
Cc: |
Description
We have a regression in the SSL handling in 4.7.3. When accessing
https://github.com/dmik/qt-creator-os2/
with the ARORA or QUPZILLA browsers, a complaint about not being able to verify the certificates is shown. The reason for that is, that starting with 4.7.3 QtNetwork no longer contains "qt-ca-bundle.crt" as resource. Instead, it tries to retrieve the certificates from the OS. On Windows, Symbian and MacOS there are specific APIs for this task. On plain Unix certain directories (/etc/ssl/certs/, /usr/lib/ssl/certs/ ...) are searched. OS/2 completely lacks an implementation.
http://svn.netlabs.org/qt4/browser/trunk/src/network/ssl/qsslsocket_openssl.cpp#L746
Do we have a global file system location for storing SSL certificates on OS/2 eCS ? Generally the idea of not including these into the QtNetwork DLL is a good as it removes the need of updating when a certificates get added or revoked ( see http://svn.netlabs.org/qt4/ticket/210 ). Any ideas ?
Attachments (2)
Change History (11)
by , 13 years ago
Attachment: | network.diff added |
---|
comment:1 by , 13 years ago
Milestone: | Qt Enhanced → Qt 4.next |
---|
comment:2 by , 13 years ago
Thanks for noticing!
For the RPM version of Qt, it's easy: we will have a separate .rpm with certs which the Qt .rpm will depend on. For the ZIP version, a note in the README with a link to a ZIP will be enough I think. I'll patch the code once I get back to Qt.
comment:4 by , 12 years ago
Yes, after fixing #292 in r1112 and installing the ca-certificates RPM package, your patch nicely fixes the problem.
However there is one more thing. While the directory you refer to as /@unixroot/etc/ssl/certs/ (which itself is perfectly correct) gets properly resolved to C:/etc/ssl/certs/ here, it isn't traversed - in fact, it is a "symlink" and somehow the Qt directory traversal code can't resolve symlinks. QDir::canonicalPath() also doesn't resolve it.
I'm going to check this QDir problem too.
comment:5 by , 12 years ago
The QDir traversal problem is solved in r1114. In r1113, I fixed another symlink-related problem: QDir::canonicalPath() and QFileInfo::canonicalFilePath() now resolve symlinks (as they should according to the docs).
The original problem is solved in r1115, based on Silvan's patch with some corrections - e.g. I added searching in %ETC%/ssl/certs which is necessary for ZIP installations when no ca-certificates RPM package is involved (and therefore no /@unixroot/etc/ssl/certs/ directory is created). Now I need to update README.OS2 with this information.
Please check the code. I will hold the release for a moment, as there are too many changes in the core classes.
I also want to solve one more problem before the release once I am in this code: dealing with symlinked directories in QFileDialog. Currently, it allows to enter such a dir but it reports it as File in the UI and can't actually show its contents. Should be easy to fix.
comment:6 by , 12 years ago
Milestone: | Qt 4.next → Qt 4.7.3 GA2 |
---|
comment:7 by , 12 years ago
My local tests show it all works.
For the ZIP-based Qt distribution, I have created a ZIP file containing the certificates and the installation instruction, attaching it here. I will update the README and the Wiki once we release 4.7.3 GA2. Leave it open until then.
comment:8 by , 12 years ago
The certificate zip is here ftp://ftp.netlabs.org/pub/qt4/tools/ca-certificates-2011.80-1.zip
Re-add internal certificates, requires network.qrc and qt-ca-bundle.cer from 4.6.3