Fix renewed SSL certificates being incorrectly reported as expired

OpenSSL tries certificates in the order they are added to the store.
There was logic to add the expired certificates after the valid ones
to ensure the valid certificate is checked first if the OS cert store
contains both the expired and renewed version of the same cert (e.g.
the verisign class 3 cert on windows)

However due to a coding error, the ordering was reversed, ensuring the
problem is always encountered instead of always avoided.

Task-number: QTBUG-20012
Change-Id: I7c8dba8a09842540a22b44d33c7dcb22bbbc6a58
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Richard J. Moore <rich@kde.org>

src/network/ssl/qsslsocket_openssl.cpp

@@ -343,7 +343,7 @@ init_context:
     foreach (const QSslCertificate &caCertificate, q->caCertificates()) {
         // add expired certs later, so that the
         // valid ones are used before the expired ones
-        if (caCertificate.expiryDate() > QDateTime::currentDateTime()) {
+        if (caCertificate.expiryDate() < QDateTime::currentDateTime()) {
             expiredCerts.append(caCertificate);
         } else {
             q_X509_STORE_add_cert(ctx->cert_store, reinterpret_cast<X509 *>(caCertificate.handle()));
@@ -1354,7 +1354,7 @@ QList<QSslError> QSslSocketBackendPrivate::verify(QList<QSslCertificate> certifi
     foreach (const QSslCertificate &caCertificate, QSslSocket::defaultCaCertificates()) {
         // add expired certs later, so that the
         // valid ones are used before the expired ones
-        if (caCertificate.expiryDate() > QDateTime::currentDateTime()) {
+        if (caCertificate.expiryDate() < QDateTime::currentDateTime()) {
             expiredCerts.append(caCertificate);
         } else {
             q_X509_STORE_add_cert(certStore, reinterpret_cast<X509 *>(caCertificate.handle()));