OpenSSL: drop support for SSLv2 and SSLv3

As per RFC 6176 (2011) and RFC 7568 (2015). Code-wise, we're left with the decision of what to do with a few enumerators in QSsl::Protocol; I've made TlsV1SslV3 act as TlsV1, and adjusted the description of AnyProtocol. A new test was introduced - deprecatedProtocol() - to test that we, indeed, do not allow use of SSL v2 and v3. protocol() and protocolServerSide() were reduced to exclude the (now) no-op and meaningless tests - neither client nor server side can start a handshake now, since we bail out early in initSslContext(). [ChangeLog][QtNetwork][SSL] Support for SSLv2 and SSLv3 sockets has been dropped, as per RFC 6176 (2011) and RFC 7568 (2015). Change-Id: I2fe4e8c3e82adf7aa10d4bdc9e3f7b8c299f77b6 Reviewed-by: Edward Welbourne <edward.welbourne@qt.io> Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io> Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
author: Giuseppe D'Angelo <giuseppe.dangelo@kdab.com> 2018-11-29 02:57:15 +0100
committer: Timur Pocheptsov <timur.pocheptsov@qt.io> 2018-12-13 15:59:37 +0000
commit: 455951f59074d6457fd2d10720ac3cbdaa966076 (patch)
tree: f214024d0551594712da3d33717a4af3a5e2b07e /src/network/ssl/qsslcontext_openssl11.cpp
parent: 3364be785930548bde2e6dfebe3aabed9e3f780d (diff)
1 files changed, 7 insertions, 10 deletions
diff --git a/src/network/ssl/qsslcontext_openssl11.cpp b/src/network/ssl/qsslcontext_openssl11.cpp
index c96a48dac1..21a5c779f7 100644
--- a/src/network/ssl/qsslcontext_openssl11.cpp
+++ b/src/network/ssl/qsslcontext_openssl11.cpp
@@ -95,6 +95,10 @@ init_context:
         // SSL 2 is no longer supported, but chosen deliberately -> error
         sslContext->ctx = nullptr;
         unsupportedProtocol = true;
+    } else if (sslContext->sslConfiguration.protocol() == QSsl::SslV3) {
+        // SSL 3 is no longer supported, but chosen deliberately -> error
+        sslContext->ctx = nullptr;
+        unsupportedProtocol = true;
     } else {
         switch (sslContext->sslConfiguration.protocol()) {
         case QSsl::DtlsV1_0:
@@ -151,11 +155,6 @@ init_context:
     long maxVersion = anyVersion;
 
     switch (sslContext->sslConfiguration.protocol()) {
-    // The single-protocol versions first:
-    case QSsl::SslV3:
-        minVersion = SSL3_VERSION;
-        maxVersion = SSL3_VERSION;
-        break;
     case QSsl::TlsV1_0:
         minVersion = TLS1_VERSION;
         maxVersion = TLS1_VERSION;
@@ -181,9 +180,6 @@ init_context:
     // Ranges:
     case QSsl::TlsV1SslV3:
     case QSsl::AnyProtocol:
-        minVersion = SSL3_VERSION;
-        maxVersion = 0;
-        break;
     case QSsl::SecureProtocols:
     case QSsl::TlsV1_0OrLater:
         minVersion = TLS1_VERSION;
@@ -227,8 +223,9 @@ init_context:
         break;
 #endif // TLS1_3_VERSION
     case QSsl::SslV2:
-        // This protocol is not supported by OpenSSL 1.1 and we handle
-        // it as an error (see the code above).
+    case QSsl::SslV3:
+        // These protocols are not supported, and we handle
+        // them as an error (see the code above).
         Q_UNREACHABLE();
         break;
     case QSsl::UnknownProtocol:
author	Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>	2018-11-29 02:57:15 +0100
committer	Timur Pocheptsov <timur.pocheptsov@qt.io>	2018-12-13 15:59:37 +0000
commit	455951f59074d6457fd2d10720ac3cbdaa966076 (patch)
tree	f214024d0551594712da3d33717a4af3a5e2b07e /src/network/ssl/qsslcontext_openssl11.cpp
parent	3364be785930548bde2e6dfebe3aabed9e3f780d (diff)