Merge remote-tracking branch 'origin/5.11' into dev

Change-Id: I9f802cb9b4d9ccba77ca39428a5cb1afd2d01642

3 files changed, 71 insertions, 3 deletions

diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
index 0102956097..ee6e64706a 100644
--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
@@ -117,7 +117,7 @@ Q_LOGGING_CATEGORY(lcSsl, "qt.network.ssl");
     Describes the protocol of the cipher.
 
     \value SslV3 SSLv3. When using the WinRT backend this option will also enable TLSv1.0
-    \value SslV2 SSLv2
+    \value SslV2 SSLv2. Note, SSLv2 support was removed in OpenSSL 1.1.
     \value TlsV1_0 TLSv1.0
     \value TlsV1_0OrLater TLSv1.0 and later versions. This option is not available when using the WinRT backend due to platform limitations.
     \value TlsV1 Obsolete, means the same as TlsV1_0
@@ -129,8 +129,8 @@ Q_LOGGING_CATEGORY(lcSsl, "qt.network.ssl");
     \value DtlsV1_2 DTLSv1.2
     \value DtlsV1_2OrLater DTLSv1.2 and later versions.
     \value UnknownProtocol The cipher's protocol cannot be determined.
-    \value AnyProtocol The socket understands SSLv2, SSLv3, and TLSv1.0. This
-    value is used by QSslSocket only.
+    \value AnyProtocol The socket understands SSLv2, SSLv3, TLSv1.0 and all
+    supported later versions of TLS. This value is used by QSslSocket only.
     \value TlsV1SslV3 On the client side, this will send
     a TLS 1.0 Client Hello, enabling TLSv1_0 and SSLv3 connections.
     On the server side, this will enable both SSLv3 and TLSv1_0 connections.
diff --git a/src/network/ssl/qsslcontext_openssl11.cpp b/src/network/ssl/qsslcontext_openssl11.cpp
index 7be7be46b8..5c68ed41db 100644
--- a/src/network/ssl/qsslcontext_openssl11.cpp
+++ b/src/network/ssl/qsslcontext_openssl11.cpp
@@ -100,6 +100,68 @@ init_context:
         return;
     }
 
+    long minVersion = TLS_ANY_VERSION;
+    long maxVersion = TLS_ANY_VERSION;
+    switch (sslContext->sslConfiguration.protocol()) {
+    // The single-protocol versions first:
+    case QSsl::SslV3:
+        minVersion = SSL3_VERSION;
+        maxVersion = SSL3_VERSION;
+        break;
+    case QSsl::TlsV1_0:
+        minVersion = TLS1_VERSION;
+        maxVersion = TLS1_VERSION;
+        break;
+    case QSsl::TlsV1_1:
+        minVersion = TLS1_1_VERSION;
+        maxVersion = TLS1_1_VERSION;
+        break;
+    case QSsl::TlsV1_2:
+        minVersion = TLS1_2_VERSION;
+        maxVersion = TLS1_2_VERSION;
+        break;
+    // Ranges:
+    case QSsl::TlsV1SslV3:
+    case QSsl::AnyProtocol:
+        minVersion = SSL3_VERSION;
+        maxVersion = TLS_MAX_VERSION;
+        break;
+    case QSsl::SecureProtocols:
+    case QSsl::TlsV1_0OrLater:
+        minVersion = TLS1_VERSION;
+        maxVersion = TLS_MAX_VERSION;
+        break;
+    case QSsl::TlsV1_1OrLater:
+        minVersion = TLS1_1_VERSION;
+        maxVersion = TLS_MAX_VERSION;
+        break;
+    case QSsl::TlsV1_2OrLater:
+        minVersion = TLS1_2_VERSION;
+        maxVersion = TLS_MAX_VERSION;
+        break;
+    case QSsl::SslV2:
+        // This protocol is not supported by OpenSSL 1.1 and we handle
+        // it as an error (see the code above).
+        Q_UNREACHABLE();
+        break;
+    case QSsl::UnknownProtocol:
+        break;
+    }
+
+    if (minVersion != TLS_ANY_VERSION
+        && !q_SSL_CTX_set_min_proto_version(sslContext->ctx, minVersion)) {
+        sslContext->errorStr = QSslSocket::tr("Error while setting the minimal protocol version");
+        sslContext->errorCode = QSslError::UnspecifiedError;
+        return;
+    }
+
+    if (maxVersion != TLS_ANY_VERSION
+        && !q_SSL_CTX_set_max_proto_version(sslContext->ctx, maxVersion)) {
+        sslContext->errorStr = QSslSocket::tr("Error while setting the maximum protocol version");
+        sslContext->errorCode = QSslError::UnspecifiedError;
+        return;
+    }
+
     // Enable bug workarounds.
     long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions);
     q_SSL_CTX_set_options(sslContext->ctx, options);
diff --git a/src/network/ssl/qsslsocket_openssl11_symbols_p.h b/src/network/ssl/qsslsocket_openssl11_symbols_p.h
index 60134726fe..1ceddecbb7 100644
--- a/src/network/ssl/qsslsocket_openssl11_symbols_p.h
+++ b/src/network/ssl/qsslsocket_openssl11_symbols_p.h
@@ -168,4 +168,10 @@ void q_BIO_set_init(BIO *a, int init);
 int q_BIO_get_shutdown(BIO *a);
 void q_BIO_set_shutdown(BIO *a, int shut);
 
+#define q_SSL_CTX_set_min_proto_version(ctx, version) \
+        q_SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, nullptr)
+
+#define q_SSL_CTX_set_max_proto_version(ctx, version) \
+        q_SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, nullptr)
+
 #endif