diff options
author | Giuseppe D'Angelo <giuseppe.dangelo@kdab.com> | 2018-11-29 02:57:15 +0100 |
---|---|---|
committer | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2018-12-13 15:59:37 +0000 |
commit | 455951f59074d6457fd2d10720ac3cbdaa966076 (patch) | |
tree | f214024d0551594712da3d33717a4af3a5e2b07e /src/network/ssl/qsslsocket_mac.cpp | |
parent | 3364be785930548bde2e6dfebe3aabed9e3f780d (diff) |
OpenSSL: drop support for SSLv2 and SSLv3
As per RFC 6176 (2011) and RFC 7568 (2015).
Code-wise, we're left with the decision of what to do with a few
enumerators in QSsl::Protocol; I've made TlsV1SslV3 act as TlsV1,
and adjusted the description of AnyProtocol.
A new test was introduced - deprecatedProtocol() - to test that
we, indeed, do not allow use of SSL v2 and v3. protocol() and
protocolServerSide() were reduced to exclude the (now) no-op
and meaningless tests - neither client nor server side can
start a handshake now, since we bail out early in initSslContext().
[ChangeLog][QtNetwork][SSL] Support for SSLv2 and SSLv3
sockets has been dropped, as per RFC 6176 (2011)
and RFC 7568 (2015).
Change-Id: I2fe4e8c3e82adf7aa10d4bdc9e3f7b8c299f77b6
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
Diffstat (limited to 'src/network/ssl/qsslsocket_mac.cpp')
-rw-r--r-- | src/network/ssl/qsslsocket_mac.cpp | 24 |
1 files changed, 11 insertions, 13 deletions
diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp index f92eaf872b..9c3c98e390 100644 --- a/src/network/ssl/qsslsocket_mac.cpp +++ b/src/network/ssl/qsslsocket_mac.cpp @@ -1107,6 +1107,12 @@ bool QSslSocketBackendPrivate::setSessionProtocol() return false; } + // SslV3 is unsupported. + if (configuration.protocol == QSsl::SslV3) { + qCDebug(lcSsl) << "protocol QSsl::SslV3 is disabled"; + return false; + } + // SecureTransport has kTLSProtocol13 constant and also, kTLSProtocolMaxSupported. // Calling SSLSetProtocolVersionMax/Min with any of these two constants results // in errInvalidParam and a failure to set the protocol version. This means @@ -1121,14 +1127,7 @@ bool QSslSocketBackendPrivate::setSessionProtocol() OSStatus err = errSecSuccess; - if (configuration.protocol == QSsl::SslV3) { - #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl) << plainSocket << "requesting : SSLv3"; - #endif - err = SSLSetProtocolVersionMin(context, kSSLProtocol3); - if (err == errSecSuccess) - err = SSLSetProtocolVersionMax(context, kSSLProtocol3); - } else if (configuration.protocol == QSsl::TlsV1_0) { + if (configuration.protocol == QSsl::TlsV1_0) { #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << plainSocket << "requesting : TLSv1.0"; #endif @@ -1153,17 +1152,16 @@ bool QSslSocketBackendPrivate::setSessionProtocol() #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << plainSocket << "requesting : any"; #endif - // kSSLProtocol3, since kSSLProtocol2 is disabled: - err = SSLSetProtocolVersionMin(context, kSSLProtocol3); + err = SSLSetProtocolVersionMin(context, kTLSProtocol1); if (err == errSecSuccess) err = SSLSetProtocolVersionMax(context, kTLSProtocol12); } else if (configuration.protocol == QSsl::TlsV1SslV3) { #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << plainSocket << "requesting : SSLv3 - TLSv1.2"; #endif - err = SSLSetProtocolVersionMin(context, kSSLProtocol3); + err = SSLSetProtocolVersionMin(context, kTLSProtocol1); if (err == errSecSuccess) - err = SSLSetProtocolVersionMax(context, kTLSProtocol12); + err = SSLSetProtocolVersionMax(context, kTLSProtocol1); } else if (configuration.protocol == QSsl::SecureProtocols) { #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << plainSocket << "requesting : TLSv1 - TLSv1.2"; @@ -1217,7 +1215,7 @@ bool QSslSocketBackendPrivate::verifySessionProtocol() const if (configuration.protocol == QSsl::AnyProtocol) protocolOk = true; else if (configuration.protocol == QSsl::TlsV1SslV3) - protocolOk = (sessionProtocol() >= QSsl::SslV3); + protocolOk = (sessionProtocol() == QSsl::TlsV1_0); else if (configuration.protocol == QSsl::SecureProtocols) protocolOk = (sessionProtocol() >= QSsl::TlsV1_0); else if (configuration.protocol == QSsl::TlsV1_0OrLater) |