From: Felix Geyer <debfx@fobos.de>
Date: Tue, 27 Sep 2011 13:49:04 +0000 (+0200)
Subject: Support intermediate CA certificates.
X-Git-Tag: 0.9-beta1~59
X-Git-Url: https://git.quassel-irc.org/?p=quassel.git;a=commitdiff_plain;h=a5455d1ea8785e864ce4b513e63283ed156d4872;ds=sidebyside

Support intermediate CA certificates.

The server needs to send the intermediate CA certs if the client only
has the root CA in his trusted cert pool.

The .pem cert file needs to look like this:
[key], [server cert], [intermediate CAs], [root CA]
---

diff --git a/src/core/sslserver.cpp b/src/core/sslserver.cpp
index aa5be2c2..4080f814 100644
--- a/src/core/sslserver.cpp
+++ b/src/core/sslserver.cpp
@@ -60,6 +60,7 @@ void SslServer::incomingConnection(int socketDescriptor) {
     if(isCertValid()) {
       serverSocket->setLocalCertificate(_cert);
       serverSocket->setPrivateKey(_key);
+      serverSocket->addCaCertificates(_ca);
     }
     _pendingConnections << serverSocket;
     emit newConnection();
@@ -86,7 +87,19 @@ bool SslServer::setCertificate(const QString &path) {
       << "error:" << certFile.error();
     return false;
   }
-  _cert = QSslCertificate(&certFile);
+
+  QList<QSslCertificate> certList = QSslCertificate::fromDevice(&certFile);
+
+  if (certList.isEmpty()) {
+    quWarning() << "SslServer: Certificate file doesn't contain a certificate";
+    return false;
+  }
+
+  _cert = certList[0];
+  certList.removeFirst(); // remove server cert
+
+  // store CA and intermediates certs
+  _ca = certList;
 
   if(!certFile.reset()) {
     quWarning() << "SslServer: IO error reading certificate file";
diff --git a/src/core/sslserver.h b/src/core/sslserver.h
index 306bd8ef..d0efde21 100644
--- a/src/core/sslserver.h
+++ b/src/core/sslserver.h
@@ -49,6 +49,7 @@ private:
   QLinkedList<QTcpSocket *> _pendingConnections;
   QSslCertificate _cert;
   QSslKey _key;
+  QList<QSslCertificate> _ca;
   bool _isCertValid;
 };