From ee0514d63c406fd43c6a1d8005c18d602f4b3c35 Mon Sep 17 00:00:00 2001 From: Shane Kearns Date: Wed, 18 Apr 2012 15:33:24 +0100 Subject: [PATCH] Optimise windows cert fetching and fix test case. If we're not going to verify the peer, or we know in advance that windows won't have a CA root then don't ask it to verify the certificate chain. The test case started failing in CI when the windows cert fetcher was integrated due to timing change. I've relaxed the timing requirement of the test to avoid it being unstable. Task-number: QTBUG-24827 Change-Id: I694f193f7d96962667f00aa01b9483b326e3e054 Reviewed-by: Martin Petersson --- src/network/ssl/qsslsocket_openssl.cpp | 26 ++++++++++++++++--- .../qnetworkreply/tst_qnetworkreply.cpp | 3 +-- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index bac837e62f..59f6f53fef 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1239,7 +1239,8 @@ bool QSslSocketBackendPrivate::startHandshake() #ifdef Q_OS_WIN //Skip this if not using system CAs, or if the SSL errors are configured in advance to be ignorable - if (s_loadRootCertsOnDemand + if (doVerifyPeer + && s_loadRootCertsOnDemand && allowRootCertOnDemandLoading && !verifyErrorsHaveBeenIgnored()) { //Windows desktop versions starting from vista ship with minimal set of roots @@ -1247,12 +1248,29 @@ bool QSslSocketBackendPrivate::startHandshake() //trusted by MS. //However, this is only transparent if using WinINET - we have to trigger it //ourselves. + QSslCertificate certToFetch; + bool fetchCertificate = true; for (int i=0; i< sslErrors.count(); i++) { - if (sslErrors.at(i).error() == QSslError::UnableToGetLocalIssuerCertificate) { - fetchCaRootForCert(sslErrors.at(i).certificate()); - return false; + switch (sslErrors.at(i).error()) { + case QSslError::UnableToGetLocalIssuerCertificate: + certToFetch = sslErrors.at(i).certificate(); + break; + case QSslError::SelfSignedCertificate: + case QSslError::CertificateBlacklisted: + //With these errors, we know it will be untrusted so save time by not asking windows + fetchCertificate = false; + break; + default: +#ifdef QSSLSOCKET_DEBUG + qDebug() << sslErrors.at(i).errorString(); +#endif + break; } } + if (fetchCertificate && !certToFetch.isNull()) { + fetchCaRootForCert(certToFetch); + return false; + } } #endif diff --git a/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp b/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp index 824f5fc507..90cecba72c 100644 --- a/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp +++ b/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp @@ -4410,9 +4410,8 @@ void tst_QNetworkReply::ioPostToHttpsUploadProgress() incomingSocket->setReadBufferSize(1*1024); - QTestEventLoop::instance().enterLoop(2); // some progress should have been made - QVERIFY(!spy.isEmpty()); + QTRY_VERIFY(!spy.isEmpty()); QList args = spy.last(); QVERIFY(args.at(0).toLongLong() > 0); // but not everything!