Qt on OSX 10.5.8: “The root CA certificate is not trusted for this purpose”
Question
I have a Qt application which succeeds in making an HTTPS request to our website on OSX 10.7, but fails on 10.5.8 with the QSslError::errorString "The root CA certificate is not trusted for this purpose".
I am setting the root certificate with:
QFile certFile1(":/Equifax_Secure_Certificate_Authority.pem.txt");
QSslCertificate cert1(&certFile1, QSsl::Pem);
certList.append(cert1);
QSslConfiguration sslConfig(request.sslConfiguration());
sslConfig.setCaCertificates(certList);
request.setSslConfiguration(sslConfig);
If I set some other certificate, I get two error strings "The issuer certificate of a locally looked up certificate could not be found" AND "The root CA certificate is not trusted for this purpose", on both OSX 10.5.8 and 10.7. This is what I'd expect.
What makes Qt not trust the Equifax certificate only on 10.5.8?
EDIT: Possible clue (or red herring): looking at the respective WireShark traces, the 10.5.8 client doesn't include Server Name Indication or Session Ticket TLS extensions in its client hello handshake.
EDIT 2: Building as 32-bit on 10.5.8 works. Also, building as universal (32 and 64-bit Intel) on 10.7 and running on 10.5.8, linking against 32-bit Qt libraries built on 10.5.8 works.
EDIT 3: I have placed an example at https://github.com/cdemel/SO_examples/tree/master/soqtssl , using a different website (Twitter) and root cert, with the same behavior.
1 answers
solution1
0 ACCPTED 2013-05-02 22:17:04
Well, this has been unanswered for too long, so I'm going to give my uninformed solution as the answer:
Have the app link to Qt libraries built on 10.5.8. This worked for me, but I can't tell you why.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.