Optimise windows cert fetching and fix test case.

If we're not going to verify the peer, or we know in advance that windows won't have a CA root then don't ask it to verify the certificate chain. The test case started failing in CI when the windows cert fetcher was integrated due to timing change. I've relaxed the timing requirement of the test to avoid it being unstable. Task-number: QTBUG-24827 Change-Id: I694f193f7d96962667f00aa01b9483b326e3e054 Reviewed-by: Martin Petersson <Martin.Petersson@nokia.com>
2012-04-18 15:33:24 +01:00 · 2012-04-18 15:33:24 +01:00 · ee0514d63c
commit ee0514d63c
parent d1e8d9a347
2 changed files with 23 additions and 6 deletions
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@ -1239,7 +1239,8 @@ bool QSslSocketBackendPrivate::startHandshake()

 #ifdef Q_OS_WIN
        //Skip this if not using system CAs, or if the SSL errors are configured in advance to be ignorable
-        if (s_loadRootCertsOnDemand
+        if (doVerifyPeer
+            && s_loadRootCertsOnDemand
            && allowRootCertOnDemandLoading
            && !verifyErrorsHaveBeenIgnored()) {
            //Windows desktop versions starting from vista ship with minimal set of roots
@ -1247,12 +1248,29 @@ bool QSslSocketBackendPrivate::startHandshake()
            //trusted by MS.
            //However, this is only transparent if using WinINET - we have to trigger it
            //ourselves.
+            QSslCertificate certToFetch;
+            bool fetchCertificate = true;
            for (int i=0; i< sslErrors.count(); i++) {
-                if (sslErrors.at(i).error() == QSslError::UnableToGetLocalIssuerCertificate) {
-                    fetchCaRootForCert(sslErrors.at(i).certificate());
-                    return false;
+                switch (sslErrors.at(i).error()) {
+                case QSslError::UnableToGetLocalIssuerCertificate:
+                    certToFetch = sslErrors.at(i).certificate();
+                    break;
+                case QSslError::SelfSignedCertificate:
+                case QSslError::CertificateBlacklisted:
+                    //With these errors, we know it will be untrusted so save time by not asking windows
+                    fetchCertificate = false;
+                    break;
+                default:
+#ifdef QSSLSOCKET_DEBUG
+                    qDebug() << sslErrors.at(i).errorString();
+#endif
+                    break;
                }
            }
+            if (fetchCertificate && !certToFetch.isNull()) {
+                fetchCaRootForCert(certToFetch);
+                return false;
+            }
        }
 #endif

--- a/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp
+++ b/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp
@ -4410,9 +4410,8 @@ void tst_QNetworkReply::ioPostToHttpsUploadProgress()


    incomingSocket->setReadBufferSize(1*1024);
-    QTestEventLoop::instance().enterLoop(2);
    // some progress should have been made
-    QVERIFY(!spy.isEmpty());
+    QTRY_VERIFY(!spy.isEmpty());
    QList<QVariant> args = spy.last();
    QVERIFY(args.at(0).toLongLong() > 0);
    // but not everything!