在Qt中，如何从QNetworkRequest中删除所有证书颁发机构证书？

Question

We are trying to have complete control regarding which CA certificates a QNetworkRequest will be allowed to use. The first 'simple' test we wanted to run was to remove all CA certificates and make sure it triggers and error on any https attempt.

Here is the minimal example showing how we set up the instances:

QNetworkAccessManager manager;
QUrl requestedUrl("https://www.google.com");
QNetworkRequest request(requestedUrl);

QSslConfiguration sslConfig = request.sslConfiguration();
// Set the QList of certificates to an empty list
sslConfig.setCaCertificates({});
request.setSslConfiguration(sslConfig);

QNetworkReply *reply = manager.get(request);
connect(reply, SIGNAL(sslErrors(QList<QSslError>)),
        this, SLOT(slotSslErrors(QList<QSslError>)));

We would expect that to fail at runtime, as the request intentionally does not have any CA certificates to complete the authentication. But the request actually completes successfully, the reply contains the webpage content, and the slotSslErrors slot is not executed.

How would one actually disable all certificates for such a request ?

Answer 1

Whatever CA certificates you are setting, that should be done before SSL handshake.

http://doc.qt.io/qt-5/qsslconfiguration.html#setCaCertificates

So probably you may need to call void QNetworkAccessManager::connectToHostEncrypted and set the QSslConfiguration object, before calling the

QNetworkReply *reply = manager.get(request);

http://doc.qt.io/qt-5/qnetworkaccessmanager.html#connectToHostEncrypted

Try something like below:

QSslConfiguration sslConfig = request.sslConfiguration();
// Set the QList of certificates to an empty list
sslConfig.setCaCertificates({});
request.setSslConfiguration(sslConfig);

//ONCE YOU SET THE CONFIG ESTABLISH HAND SHAKE 
manager.connectToHostEncrypted("....",..,sslConfig);


QNetworkReply *reply = manager.get(request);