diff options
author | Lars Knoll <lars.knoll@qt.io> | 2018-04-12 21:59:27 +0200 |
---|---|---|
committer | Lars Knoll <lars.knoll@qt.io> | 2018-04-12 22:00:35 +0200 |
commit | 4f158ccee56827af2a0d7b0a043c5e6cdc3bad5b (patch) | |
tree | 068d0e99a0100f64364f6490d5c1e39c34ffc2aa /src/network/ssl | |
parent | 5c63e6fd7541609c3fadb694c071b42e93b7acf5 (diff) | |
parent | 9c4c136bc9f29bab1cc9684dfced55a92a8bbe96 (diff) |
Merge remote-tracking branch 'origin/5.11' into dev
Change-Id: I9f802cb9b4d9ccba77ca39428a5cb1afd2d01642
Diffstat (limited to 'src/network/ssl')
-rw-r--r-- | src/network/ssl/qssl.cpp | 6 | ||||
-rw-r--r-- | src/network/ssl/qsslcontext_openssl11.cpp | 62 | ||||
-rw-r--r-- | src/network/ssl/qsslsocket_openssl11_symbols_p.h | 6 |
3 files changed, 71 insertions, 3 deletions
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp index 0102956097..ee6e64706a 100644 --- a/src/network/ssl/qssl.cpp +++ b/src/network/ssl/qssl.cpp @@ -117,7 +117,7 @@ Q_LOGGING_CATEGORY(lcSsl, "qt.network.ssl"); Describes the protocol of the cipher. \value SslV3 SSLv3. When using the WinRT backend this option will also enable TLSv1.0 - \value SslV2 SSLv2 + \value SslV2 SSLv2. Note, SSLv2 support was removed in OpenSSL 1.1. \value TlsV1_0 TLSv1.0 \value TlsV1_0OrLater TLSv1.0 and later versions. This option is not available when using the WinRT backend due to platform limitations. \value TlsV1 Obsolete, means the same as TlsV1_0 @@ -129,8 +129,8 @@ Q_LOGGING_CATEGORY(lcSsl, "qt.network.ssl"); \value DtlsV1_2 DTLSv1.2 \value DtlsV1_2OrLater DTLSv1.2 and later versions. \value UnknownProtocol The cipher's protocol cannot be determined. - \value AnyProtocol The socket understands SSLv2, SSLv3, and TLSv1.0. This - value is used by QSslSocket only. + \value AnyProtocol The socket understands SSLv2, SSLv3, TLSv1.0 and all + supported later versions of TLS. This value is used by QSslSocket only. \value TlsV1SslV3 On the client side, this will send a TLS 1.0 Client Hello, enabling TLSv1_0 and SSLv3 connections. On the server side, this will enable both SSLv3 and TLSv1_0 connections. diff --git a/src/network/ssl/qsslcontext_openssl11.cpp b/src/network/ssl/qsslcontext_openssl11.cpp index 7be7be46b8..5c68ed41db 100644 --- a/src/network/ssl/qsslcontext_openssl11.cpp +++ b/src/network/ssl/qsslcontext_openssl11.cpp @@ -100,6 +100,68 @@ init_context: return; } + long minVersion = TLS_ANY_VERSION; + long maxVersion = TLS_ANY_VERSION; + switch (sslContext->sslConfiguration.protocol()) { + // The single-protocol versions first: + case QSsl::SslV3: + minVersion = SSL3_VERSION; + maxVersion = SSL3_VERSION; + break; + case QSsl::TlsV1_0: + minVersion = TLS1_VERSION; + maxVersion = TLS1_VERSION; + break; + case QSsl::TlsV1_1: + minVersion = TLS1_1_VERSION; + maxVersion = TLS1_1_VERSION; + break; + case QSsl::TlsV1_2: + minVersion = TLS1_2_VERSION; + maxVersion = TLS1_2_VERSION; + break; + // Ranges: + case QSsl::TlsV1SslV3: + case QSsl::AnyProtocol: + minVersion = SSL3_VERSION; + maxVersion = TLS_MAX_VERSION; + break; + case QSsl::SecureProtocols: + case QSsl::TlsV1_0OrLater: + minVersion = TLS1_VERSION; + maxVersion = TLS_MAX_VERSION; + break; + case QSsl::TlsV1_1OrLater: + minVersion = TLS1_1_VERSION; + maxVersion = TLS_MAX_VERSION; + break; + case QSsl::TlsV1_2OrLater: + minVersion = TLS1_2_VERSION; + maxVersion = TLS_MAX_VERSION; + break; + case QSsl::SslV2: + // This protocol is not supported by OpenSSL 1.1 and we handle + // it as an error (see the code above). + Q_UNREACHABLE(); + break; + case QSsl::UnknownProtocol: + break; + } + + if (minVersion != TLS_ANY_VERSION + && !q_SSL_CTX_set_min_proto_version(sslContext->ctx, minVersion)) { + sslContext->errorStr = QSslSocket::tr("Error while setting the minimal protocol version"); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + if (maxVersion != TLS_ANY_VERSION + && !q_SSL_CTX_set_max_proto_version(sslContext->ctx, maxVersion)) { + sslContext->errorStr = QSslSocket::tr("Error while setting the maximum protocol version"); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + // Enable bug workarounds. long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions); q_SSL_CTX_set_options(sslContext->ctx, options); diff --git a/src/network/ssl/qsslsocket_openssl11_symbols_p.h b/src/network/ssl/qsslsocket_openssl11_symbols_p.h index 60134726fe..1ceddecbb7 100644 --- a/src/network/ssl/qsslsocket_openssl11_symbols_p.h +++ b/src/network/ssl/qsslsocket_openssl11_symbols_p.h @@ -168,4 +168,10 @@ void q_BIO_set_init(BIO *a, int init); int q_BIO_get_shutdown(BIO *a); void q_BIO_set_shutdown(BIO *a, int shut); +#define q_SSL_CTX_set_min_proto_version(ctx, version) \ + q_SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, nullptr) + +#define q_SSL_CTX_set_max_proto_version(ctx, version) \ + q_SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, nullptr) + #endif |