QT ssl error on hotmail.com: The issuer certificate of a locally looked up certificat

[sfcheng77]

When I use QtWebkit (which uses QSslSocket internally) to connect to www.hotmail.com, I got the following ssl errors after logging in:

1. The issuer certificate of a locally looked up certificate could not be found
2. The root CA certificate is not trusted for this purpose
3. No certifiates could be verified.

I could get the same errors at mail.yahoo.com before logging in.
I have found that secure connection to these two servers triggers the ssl errors:

1. https://gfx8.hotmail.com
2. https://csc.beap.bc.yahoo.com

There is a small ssl demo program included with QT called securesocketclient. I can produce the same errors if I use this little client to connect to port 443 of the above two servers. I am 99% certain this is a bug with QT since we have produced this issue on many development systems. It affects linux, mac and windows QT. It affects QT 4.7.4 all the way to QT 4.8.4 (didn't try earlier versions). The bug is reproduced with openssl 0.9.8.

Some people might falsely claim that the bug is fixed by using openssl 1.0.0 with precompiled QT binary. That's wrong since the precompiled QT binary is compiled with openssl 0.9.8 header files. Openssl 0.9.8 is not binary compatible with openssl 1.0.0. Some of the structure memebers will be misinterpreted if you compile QT with one version of openssl but use another version of openssl binary. I did a lot of step-and-trace into QT and openssl source code to arrive at this conclusion.

Since hotmail and yahoo email are extremely popular websites, I'd consider this bug is a serious bug in terms of security for QT. I already reported it to QT bug system (https://bugreports.qt-project.org/browse/QTBUG-23625) and I doubt when digia will ever get their hands on it based on my past experience.

Please feel free to share your thoughts on how to fix this bug. I do know how to call ignoreSslErrors and pretend there is no problem. But that's not how openssl is intended to be used.

[anda_skoa]

Maybe you should add those two other sites to the report.

I tried (Qt 4.8.2, Debian) using /usr/lib/qt4/examples/network/http/http and it works on the gmail link provided in the report, but shows an error for the two sites you posted here.

Cheers,
_

P.S. regarding the OpenSSL version thingy: it might be irrelevant which version of OpenSSL the headers were from when building Qt, OpenSSL is usually not linked with traditionally but opened at runtime. This is to avoid the binary compatibility issues it often has. So if this is related to some OpenSSL problem it would matter which version Qt will find during runtime

[sfcheng77]

I already mentioned these two sites at the bottom of the bug report. The gmail was reported by somebody else which I can't produce either.

Maybe you should add those two other sites to the report.

I tried (Qt 4.8.2, Debian) using /usr/lib/qt4/examples/network/http/http and it works on the gmail link provided in the report, but shows an error for the two sites you posted here.

Cheers,
_

P.S. regarding the OpenSSL version thingy: it might be irrelevant which version of OpenSSL the headers were from when building Qt, OpenSSL is usually not linked with traditionally but opened at runtime. This is to avoid the binary compatibility issues it often has. So if this is related to some OpenSSL problem it would matter which version Qt will find during runtime

[Carol_0603]

Hello, did you fix this issues? We are using QT version is 5.3.2, still have the certificate issues.