diff options
| author | Arttu Tarkiainen <arttu.tarkiainen@qt.io> | 2024-03-18 11:59:00 +0200 |
|---|---|---|
| committer | Arttu Tarkiainen <arttu.tarkiainen@qt.io> | 2024-04-10 18:28:38 +0300 |
| commit | a2a319ee4243d3fbbc4e0c4c2d1ac1fcbae2812c (patch) | |
| tree | 4ac953d40c1987da83cdee558bdf365f160b2538 | |
| parent | 369b7ae255effc779c8843b1934280e2fe875aa4 (diff) | |
curl: allow forcing HTTPS with a build-time option
Add CURL_FORCE_HTTPS CMake option (defaults to ON), which can be used
to set HTTPS as the only only allowed protocol for all requests.
Task-number: QLS-675
Change-Id: I7a5d802d6f3487aad75405efd0bfec5939ecff79
Reviewed-by: Iikka Eklund <iikka.eklund@qt.io>
| -rw-r--r-- | CHANGELOG | 5 | ||||
| -rw-r--r-- | CMakeLists.txt | 5 | ||||
| -rw-r--r-- | README.md | 4 | ||||
| -rw-r--r-- | src/libs/qlicenseservice/httpclient.cpp | 15 |
4 files changed, 29 insertions, 0 deletions
@@ -2,6 +2,11 @@ Qt License Service changelog #################### +Changes in 3.1.0 +- [QLS-675] curl: force HTTPS by default + +#################### + Changes in 3.0.1 - [QLS-883] Linux: fix wrong CA bundle path in prebuilt binaries - [QLS-860] Build License Service against static openssl and curl diff --git a/CMakeLists.txt b/CMakeLists.txt index 3a8c573..5ec484d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -32,6 +32,11 @@ if (BUILD_SERVICE_LIB AND NOT DEFINED ENV{OPENSSL_ROOT_DIR}) message(FATAL_ERROR "OPENSSL_ROOT_DIR environment variable is not set. Please set it before configuring.") endif() +option(CURL_FORCE_HTTPS "Force HTTPS as the only allowed protocol for network requests" ON) +if (CURL_FORCE_HTTPS) + add_definitions(-DCURL_FORCE_HTTPS) +endif () + if (BUILD_BINARIES) if (NOT BUILD_SERVICE_LIB OR NOT BUILD_CLIENT_LIB) message(FATAL_ERROR "BUILD_BINARIES is enabled, which requires both service and client library to be built") @@ -103,6 +103,10 @@ Windows: set QTLICD_CLIENT_USERNAME=john ``` +By default, the Qt License Service enforces TLS (v1.3 or later) for network requests, so +the on-premises server must support HTTPS. + +This behavior can be changed at build time by setting the CMake option "CURL_FORCE_HTTPS" to "off". # Configuration file summary diff --git a/src/libs/qlicenseservice/httpclient.cpp b/src/libs/qlicenseservice/httpclient.cpp index a0546f5..5e1c685 100644 --- a/src/libs/qlicenseservice/httpclient.cpp +++ b/src/libs/qlicenseservice/httpclient.cpp @@ -69,7 +69,11 @@ void HttpResult::setDeleteRequest(bool which) HttpRequest::HttpRequest(const std::string &url, const std::string &authKey) : m_url(url) , m_delay(0) +#ifdef CURL_FORCE_HTTPS + , m_forceHttps(true) +#else , m_forceHttps(false) +#endif , m_headers(nullptr) { if (!authKey.empty()) { @@ -174,9 +178,20 @@ void HttpRequest::setDelay(uint32_t msecs) m_delay = msecs; } +/* + If \a https it set to \c true, sets the curl option to allow only + HTTPS protocol for this request. + + \note If the daemon is built with \c CURL_FORCE_HTTPS \c on, all requests are + forced to use HTTPS and setting \a https to \c false has no effect. +*/ void HttpRequest::setForceHttps(bool https) { +#ifdef CURL_FORCE_HTTPS + m_forceHttps = true; +#else m_forceHttps = https; +#endif } void HttpRequest::setCaBundlePath(const std::string &path) |