AuroraMiddleware/qt5base-lts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix OCSP-Stapling error if identity cannot be verified

Browse Source 
If QSslConfiguration::setCaCertificates is set to empty list openssl
cannot verify the OCSP-Response.
Qt will provide it as QSslError::OcspResponseCannotBeTrusted that can be
ignored. But the openssl error is still in the error queue and prevents
a successful reply in QNetworkReply::finished.

So let's clear the queue after OCSP checking to avoid side affects.

Change-Id: I44a7f45a2eebd20ea86a235a0534f80986c40a26
Fixes: QTBUG-85638
Pick-to: 5.15
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
This commit is contained in:
André Klitzing 2020-07-17 15:47:33 +02:00
parent 0e240204b5
commit 4581cd5fb6
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/network/ssl/qsslsocket_openssl.cpp
View File

@ -84,6 +84,7 @@
#include <QtCore/qurl.h>
#include <QtCore/qvarlengtharray.h>
#include <QtCore/qscopedvaluerollback.h>
#include <QtCore/qscopeguard.h>
#include <QtCore/qlibrary.h>
#include <QtCore/qoperatingsystemversion.h>
@ -1802,6 +1803,10 @@ bool QSslSocketBackendPrivate::checkOcspStatus()
Q_ASSERT(mode == QSslSocket::SslClientMode); // See initSslContext() for SslServerMode
Q_ASSERT(configuration.peerVerifyMode != QSslSocket::VerifyNone);
const auto clearErrorQueue = qScopeGuard([] {
logAndClearErrorQueue();
});
ocspResponses.clear();
ocspErrorDescription.clear();
ocspErrors.clear();