From kde-core-devel  Fri Jan 29 13:04:06 2010
From: Pierre Schmitz <pierre () archlinux ! de>
Date: Fri, 29 Jan 2010 13:04:06 +0000
To: kde-core-devel
Subject: Re: Using system SSL certificates...
Message-Id: <201001291404.06656.pierre () archlinux ! de>
X-MARC-Message: https://marc.info/?l=kde-core-devel&m=126477029831369

Am Freitag, 29. Januar 2010 08:45:04 schrieb Thiago Macieira:
> > I was thinking that Firefox uses those system certificates as well, but
> > it doesn't, as SadEagle and bradh told me on IRC. We also located where
> > Firefox stores its certificates, unfortunately it's binary and inside a
> > library. So I change the suggestion to: keep using our own certificate
> > bundle and occasionally just download and sync with whatever Firefox
> > uses from the Mozilla repository. i'll look into making a script for
> > that. The other things that I wrote still stand.
> 
> I've already made a script to do that. Actually, a Qt program.
> 
> I'll probably update Qt's certificate list with the Firefox ones for the
> next  Qt version.
> 
> So all KDE has to do is stop overriding Qt's default certificate bundle.

I would appreciate if KDE and Qt would use the system wide cert bundle 
(optionally configurable at build time).

ATM I use this workaround for kdelibs:

        rm -f /usr/share/apps/kssl/ca-bundle.crt
        ln -sf /etc/ssl/certs/ca-certificates.crt \
               /usr/share/apps/kssl/ca-bundle.crt

and this patch for Qt (afaik from fedora, sorry for the additonal line breaks)

--- qt-x11-opensource-
src-4.5.3/src/network/ssl/qsslsocket_openssl.cpp.system_ca_certificates   
2009-09-29 06:01:38.000000000 -0500
+++ qt-x11-opensource-src-4.5.3/src/network/ssl/qsslsocket_openssl.cpp  
2009-10-02 11:20:10.674662746 -0500
@@ -482,8 +482,20 @@ void QSslSocketPrivate::resetDefaultCiph
 
 QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates()
 {
+
+    QFile caBundle;
+
+#ifdef Q_OS_UNIX
+    // Check known locations for the system's default bundle.  ### On 
Windows,
+    // we should use CAPI to find the bundle, and not rely on default unix
+    // locations.
+    caBundle.setFileName(QLatin1String("/etc/ssl/certs/ca-
certificates.crt"));
+    if (caBundle.open(QIODevice::ReadOnly | QIODevice::Text))
+       return QSslCertificate::fromDevice(&caBundle);
+#endif
+
     // Qt provides a default bundle of certificates
-    QFile caBundle(QLatin1String(":/trolltech/network/ssl/qt-ca-
bundle.crt"));
+    caBundle.setFileName(QLatin1String(":/trolltech/network/ssl/qt-ca-
bundle.crt"));
     if (caBundle.open(QIODevice::ReadOnly | QIODevice::Text))
         return QSslCertificate::fromDevice(&caBundle);

-- 

Pierre Schmitz, https://users.archlinux.de/~pierre