diff options
| author | Eric Prokop <eric.prokop@epnw.eu> | 2021-05-03 11:15:32 +0300 |
|---|---|---|
| committer | Eric Prokop <eric.prokop@epnw.eu> | 2021-11-10 19:18:24 +0300 |
| commit | 7d67da15ee7bd082144b1cf9490d8f81bed9ead9 (patch) | |
| tree | 8dcd1423d8e95c52baf1effef1644ed444f9346e /src/Connection.h | |
| parent | 7cf7b180f06b00c0b6fed27948692f96a2874800 (diff) | |
FIX(server,client): Validate/use the correct certifiacte from a peers chain
Currently, obtaining and validating the peer's certificate chain is a mess. While obtaining the chain (which is ordered, starting with the peer's immediate certificate and ending with the CA's certificate), the peers immediate certificate is added again, as last certificate. Then, while validating, the last certificate is checked. This approach works (since the validated certificate is the one that is expliticly added), but puts the whole concept of a ordered certificate chain to absurdity.
This commit fixes that. First, the chain it is returned unaltered in its original form (ordered and starting with the peer's immediate certificate and ending with the CA's certificate). Then, while validating, the first certificate in this chain is checked.
Fixes #3523 (partially)
Diffstat (limited to 'src/Connection.h')
| -rw-r--r-- | src/Connection.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/Connection.h b/src/Connection.h index 9bb333719..cfba240b7 100644 --- a/src/Connection.h +++ b/src/Connection.h @@ -74,7 +74,8 @@ public: QMutex qmCrypt; #endif std::unique_ptr< CryptState > csCrypt; - + /// Returns the peer's chain of digital certificates, starting with the peer's immediate certificate + /// and ending with the CA's certificate. QList< QSslCertificate > peerCertificateChain() const; QSslCipher sessionCipher() const; QSsl::SslProtocol sessionProtocol() const; |