Merge remote-tracking branch 'origin/5.11' into dev

 Conflicts:
	src/plugins/platforms/cocoa/qnsview.mm
	src/plugins/platforms/cocoa/qnsview_mouse.mm
	src/testlib/testlib.pro

Change-Id: Ia0ce4243418fe6a485b0f290c67bd433b3b04ff2

3 files changed, 9 insertions, 5 deletions

diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
index 8a5540e8bd..85d1a99c45 100644
--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
@@ -116,14 +116,14 @@ Q_LOGGING_CATEGORY(lcSsl, "qt.network.ssl");
 
     Describes the protocol of the cipher.
 
-    \value SslV3 SSLv3
+    \value SslV3 SSLv3. When using the WinRT backend this option will also enable TLSv1.0
     \value SslV2 SSLv2
     \value TlsV1_0 TLSv1.0
     \value TlsV1_0OrLater TLSv1.0 and later versions. This option is not available when using the WinRT backend due to platform limitations.
     \value TlsV1 Obsolete, means the same as TlsV1_0
-    \value TlsV1_1 TLSv1.1
+    \value TlsV1_1 TLSv1.1. When using the WinRT backend this option will also enable TLSv1.0.
     \value TlsV1_1OrLater TLSv1.1 and later versions. This option is not available when using the WinRT backend due to platform limitations.
-    \value TlsV1_2 TLSv1.2
+    \value TlsV1_2 TLSv1.2. When using the WinRT backend this option will also enable TLSv1.0 and TLSv1.1.
     \value TlsV1_2OrLater TLSv1.2 and later versions. This option is not available when using the WinRT backend due to platform limitations.
     \value UnknownProtocol The cipher's protocol cannot be determined.
     \value AnyProtocol The socket understands SSLv2, SSLv3, and TLSv1.0. This
diff --git a/src/network/ssl/qsslsocket_mac_shared.cpp b/src/network/ssl/qsslsocket_mac_shared.cpp
index d239fe23dd..4f0adf16f9 100644
--- a/src/network/ssl/qsslsocket_mac_shared.cpp
+++ b/src/network/ssl/qsslsocket_mac_shared.cpp
@@ -128,10 +128,10 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates()
     QList<QSslCertificate> systemCerts;
     // SecTrustSettingsCopyCertificates is not defined on iOS.
 #ifdef Q_OS_OSX
-    QCFType<CFArrayRef> cfCerts;
     // iterate through all enum members, order:
     // kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin, kSecTrustSettingsDomainSystem
     for (int dom = kSecTrustSettingsDomainUser; dom <= int(kSecTrustSettingsDomainSystem); dom++) {
+        QCFType<CFArrayRef> cfCerts;
         OSStatus status = SecTrustSettingsCopyCertificates(SecTrustSettingsDomain(dom), &cfCerts);
         if (status == noErr) {
             const CFIndex size = CFArrayGetCount(cfCerts);
diff --git a/src/network/ssl/qsslsocket_winrt.cpp b/src/network/ssl/qsslsocket_winrt.cpp
index f64ae2e020..ff9dccc734 100644
--- a/src/network/ssl/qsslsocket_winrt.cpp
+++ b/src/network/ssl/qsslsocket_winrt.cpp
@@ -238,7 +238,6 @@ void QSslSocketBackendPrivate::startClientEncryption()
     case QSsl::SslV3:
         protectionLevel = SocketProtectionLevel_Ssl; // Only use this value if weak cipher support is required
         break;
-    case QSsl::SecureProtocols:
     case QSsl::TlsV1SslV3:
     case QSsl::TlsV1_0:
         protectionLevel = SocketProtectionLevel_Tls10;
@@ -257,6 +256,11 @@ void QSslSocketBackendPrivate::startClientEncryption()
         setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError,
                         QStringLiteral("unsupported protocol"));
         return;
+    case QSsl::SecureProtocols:
+        // SocketProtectionLevel_Tls12 actually means "use TLS1.0, 1.1 or 1.2"
+        // https://docs.microsoft.com/en-us/uwp/api/windows.networking.sockets.socketprotectionlevel
+        protectionLevel = SocketProtectionLevel_Tls12;
+        break;
     default:
         protectionLevel = SocketProtectionLevel_Tls12; // default to highest
         protocol = QSsl::TlsV1_2;