diff options
author | André Klitzing <aklitzing@gmail.com> | 2023-09-29 08:21:21 +0200 |
---|---|---|
committer | André Klitzing <aklitzing@gmail.com> | 2023-10-25 17:23:13 +0200 |
commit | fd9c567156830a21da3cd9e127a998ae90a8e564 (patch) | |
tree | 7ab3094e0a717fd0cfc254812f24d9325f3281de | |
parent | 5628600a07295db6ed6683e97fafb0c45ddea505 (diff) |
Use SSL_CTX_set_dh_auto if DHparam is empty
[ChangeLog][QtNetwork][QSslDiffieHellmanParameters] An empty
Diffie-Hellmann parameter enables auto selection of openssl
backend.
Fixes: QTBUG-117666
Change-Id: Ic2e0529d48542752ca801bcb4d609988e5ddff25
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
-rw-r--r-- | src/network/ssl/qsslconfiguration.cpp | 3 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qsslcontext_openssl.cpp | 4 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h | 1 | ||||
-rw-r--r-- | tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp | 16 |
4 files changed, 17 insertions, 7 deletions
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp index 5acadebc13..bc7f1fb3f4 100644 --- a/src/network/ssl/qsslconfiguration.cpp +++ b/src/network/ssl/qsslconfiguration.cpp @@ -939,6 +939,9 @@ QSslDiffieHellmanParameters QSslConfiguration::diffieHellmanParameters() const If no Diffie-Hellman parameters have been set, the QSslConfiguration object defaults to using the 2048-bit MODP group from RFC 3526. + Since 6.7 you can provide an empty Diffie-Hellman parameter to use auto selection + (see SSL_CTX_set_dh_auto of openssl) if the tls backend supports it. + \note The default parameters may change in future Qt versions. Please check the documentation of the \e{exact Qt version} that you are using in order to know what defaults that version uses. diff --git a/src/plugins/tls/openssl/qsslcontext_openssl.cpp b/src/plugins/tls/openssl/qsslcontext_openssl.cpp index ef0e63911a..75c192bd01 100644 --- a/src/plugins/tls/openssl/qsslcontext_openssl.cpp +++ b/src/plugins/tls/openssl/qsslcontext_openssl.cpp @@ -697,7 +697,9 @@ QT_WARNING_POP return; } - if (!dhparams.isEmpty()) { + if (dhparams.isEmpty()) { + q_SSL_CTX_set_dh_auto(sslContext->ctx, 1); + } else { #ifndef OPENSSL_NO_DEPRECATED_3_0 const QByteArray ¶ms = dhparams.d->derData; const char *ptr = params.constData(); diff --git a/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h b/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h index c954d17774..a93c110b3f 100644 --- a/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h +++ b/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h @@ -516,6 +516,7 @@ DH *q_PEM_read_bio_DHparams(BIO *a, DH **b, pem_password_cb *c, void *d); BIGNUM *q_BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret); #define q_SSL_CTX_set_tmp_dh(ctx, dh) q_SSL_CTX_ctrl((ctx), SSL_CTRL_SET_TMP_DH, 0, (char *)dh) +#define q_SSL_CTX_set_dh_auto(ctx, onoff) q_SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL) #ifndef OPENSSL_NO_EC // EC Diffie-Hellman support diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp index 66711cce45..c7cfaebd62 100644 --- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp +++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp @@ -3510,9 +3510,10 @@ void tst_QSslSocket::dhServerCustomParamsNull() if (setProxy) return; + const QSslCipher cipherWithDH("DHE-RSA-AES256-SHA256"); SslServer server; - server.ciphers = {QSslCipher("DHE-RSA-AES256-SHA"), QSslCipher("DHE-DSS-AES256-SHA")}; - server.protocol = Test::TlsV1_0; + server.ciphers = {cipherWithDH}; + server.protocol = QSsl::TlsV1_2; QSslConfiguration cfg = server.config; cfg.setDiffieHellmanParameters(QSslDiffieHellmanParameters()); @@ -3525,7 +3526,6 @@ void tst_QSslSocket::dhServerCustomParamsNull() QSslSocket client; QSslConfiguration config = client.sslConfiguration(); - config.setProtocol(Test::TlsV1_0); client.setSslConfiguration(config); socket = &client; connect(socket, SIGNAL(errorOccurred(QAbstractSocket::SocketError)), &loop, SLOT(quit())); @@ -3536,7 +3536,8 @@ void tst_QSslSocket::dhServerCustomParamsNull() loop.exec(); - QVERIFY(client.state() != QAbstractSocket::ConnectedState); + QCOMPARE(client.state(), QAbstractSocket::ConnectedState); + QCOMPARE(client.sessionCipher(), cipherWithDH); } void tst_QSslSocket::dhServerCustomParams() @@ -3551,7 +3552,9 @@ void tst_QSslSocket::dhServerCustomParams() return; SslServer server; - server.ciphers = {QSslCipher("DHE-RSA-AES256-SHA"), QSslCipher("DHE-DSS-AES256-SHA")}; + const QSslCipher cipherWithDH("DHE-RSA-AES256-SHA256"); + server.ciphers = {cipherWithDH}; + server.protocol = QSsl::TlsV1_2; QSslConfiguration cfg = server.config; @@ -3581,7 +3584,8 @@ void tst_QSslSocket::dhServerCustomParams() loop.exec(); - QVERIFY(client.state() == QAbstractSocket::ConnectedState); + QCOMPARE(client.state(), QAbstractSocket::ConnectedState); + QCOMPARE(client.sessionCipher(), cipherWithDH); } #endif // QT_CONFIG(openssl) |