Update QSsl::SecureProtocols to not include Sslv3

After the poodle vulnerability SSLv3 should like SSLv2 no longer be
considered safe, so when a user request a safe protocol we should
only allow TLS versions.

[ChangeLog][QtNetwork][QSsl] QSsl::SecureProtocols now also excludes SSLv3

Change-Id: If825f6beb599294b028d706903b39db6b20be519
Reviewed-by: Richard J. Moore <rich@kde.org>

1 files changed, 5 insertions, 2 deletions

diff --git a/src/network/ssl/qsslcontext_openssl.cpp b/src/network/ssl/qsslcontext_openssl.cpp
index 6daddebba3..c042d98056 100644
--- a/src/network/ssl/qsslcontext_openssl.cpp
+++ b/src/network/ssl/qsslcontext_openssl.cpp
@@ -139,8 +139,11 @@ init_context:
     case QSsl::SslV3:
         sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv3_client_method() : q_SSLv3_server_method());
         break;
-    case QSsl::SecureProtocols: // SslV2 will be disabled below
-    case QSsl::TlsV1SslV3: // SslV2 will be disabled below
+    case QSsl::SecureProtocols:
+        // SSLv2 and SSLv3 will be disabled by SSL options
+        // But we need q_SSLv23_server_method() otherwise AnyProtocol will be unable to connect on Win32.
+    case QSsl::TlsV1SslV3:
+        // SSLv2 will will be disabled by SSL options
     case QSsl::AnyProtocol:
     default:
         sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method());