Bug#530532: libqt4-network: Locally installed root CAs not read
Package: libqt4-network
Version: 4.4.3-1
Severity: grave
Justification: user security hole
Tags: patch security
Applications using QT SSL Layer fail to verify SSL encrypted connexion
because system-wide installed certificates authorities are not read (can
be verified with strace)
For example, mumble cannot verify that a server it connects to has a
good certificate even if the root CA is locally installed (but mumble
won't work if there is intermediate certificate but this is a
mumble-server bug that will be fixed in 1.2).
Here is my patch to fix the problem :
diff -Naur qt4-x11-4.4.3/src/network/ssl/qsslsocket_openssl.cpp
qt4-x11-4.4.3-sslfix/src/network/ssl/qsslsocket_openssl.cpp
--- qt4-x11-4.4.3/src/network/ssl/qsslsocket_openssl.cpp
2008-09-27 10:58:47.000000000 +0200
+++ qt4-x11-4.4.3-sslfix/src/network/ssl/qsslsocket_openssl.cpp
2009-05-25 15:16:39.000000000 +0200
@@ -466,7 +466,7 @@
QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates()
{
-#ifdef QQ_OS_UNIX
+#ifdef Q_OS_UNIX
// Check known locations for the system's default bundle. ### On
Windows,
// we should use CAPI to find the bundle, and not rely on default unix
// locations.
@@ -479,13 +479,16 @@
#endif
0};
const char **it = standardLocations;
+ QList<QSslCertificate> certs;
QStringList nameFilter;
nameFilter << QLatin1String("*.pem") << QLatin1String("*.crt");
while (*it) {
- if (QDirIterator(QLatin1String(*it), nameFilter).hasNext())
- return certificatesFromPath(QLatin1String(*it));
+ QDirIterator certfilesIt(QLatin1String(*it), nameFilter);
+ while (certfilesIt.hasNext())
+ certs += QSslCertificate::fromPath(certfilesIt.next());
++it;
}
+ return certs;
#endif
// Qt provides a default bundle when we cannot detect the system's
default
The problem has been reported to QT but I don't know if it has been
fixed and how... I consider it as a grave problem because a user can't
verify the identity of a server
he connects to.
-- System Information:
Debian Release: 5.0.1
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.29.4 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libqt4-network depends on:
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libgcc1 1:4.3.2-1.1 GCC support library
ii libqtcore4 4.4.3-1 Qt 4 core module
ii libstdc++6 4.3.2-1.1 The GNU Standard C++ Library v3
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
libqt4-network recommends no packages.
libqt4-network suggests no packages.
-- no debconf information
Reply to: