QSsl: workaround a 'very secure' OpenSSL version (CentOS 8.x et al)

CentOS it seems not only backported some OpenSSL 3 functions,
but also raised the default security level to 2, making some of
our keys (and MDs?) 'too weak' and failing auto-tests here and
there as a result. For our auto-test we lower the level to 1,
as it is expected to be.

Fixes: QTBUG-86336
Change-Id: I7062a1b292e8b60eb9c2b2e82bd002f09f9da603
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit 605d2163f1dcd7e1ad701ade913cb476b91865b1)
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>

3 files changed, 18 insertions, 1 deletions

diff --git a/src/network/ssl/qsslcontext_openssl.cpp b/src/network/ssl/qsslcontext_openssl.cpp
index abc398b209..c9f202f573 100644
--- a/src/network/ssl/qsslcontext_openssl.cpp
+++ b/src/network/ssl/qsslcontext_openssl.cpp
@@ -54,6 +54,13 @@
 
 QT_BEGIN_NAMESPACE
 
+Q_GLOBAL_STATIC(bool, forceSecurityLevel)
+
+Q_NETWORK_EXPORT void qt_ForceTlsSecurityLevel()
+{
+    *forceSecurityLevel() = true;
+}
+
 // defined in qsslsocket_openssl.cpp:
 extern int q_X509Callback(int ok, X509_STORE_CTX *ctx);
 extern QString getErrorsFromOpenSsl();
@@ -344,6 +351,10 @@ init_context:
         return;
     }
 
+    // A nasty hacked OpenSSL using a level that will make our auto-tests fail:
+    if (q_SSL_CTX_get_security_level(sslContext->ctx) > 1 && *forceSecurityLevel())
+        q_SSL_CTX_set_security_level(sslContext->ctx, 1);
+
     const long anyVersion =
 #if QT_CONFIG(dtls)
                             isDtls ? DTLS_ANY_VERSION : TLS_ANY_VERSION;
diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp
index 2f57998cea..ed80fc14bd 100644
--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
+++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
@@ -159,6 +159,8 @@ DEFINEFUNC(void, OPENSSL_sk_free, OPENSSL_STACK *a, a, return, DUMMYARG)
 DEFINEFUNC2(void *, OPENSSL_sk_value, OPENSSL_STACK *a, a, int b, b, return nullptr, return)
 DEFINEFUNC(int, SSL_session_reused, SSL *a, a, return 0, return)
 DEFINEFUNC2(unsigned long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, unsigned long op, op, return 0, return)
+DEFINEFUNC(int, SSL_CTX_get_security_level, const SSL_CTX *ctx, ctx, return -1, return)
+DEFINEFUNC2(void, SSL_CTX_set_security_level, SSL_CTX *ctx, ctx, int level, level, return, return)
 #ifdef TLS1_3_VERSION
 DEFINEFUNC2(int, SSL_CTX_set_ciphersuites, SSL_CTX *ctx, ctx, const char *str, str, return 0, return)
 DEFINEFUNC2(void, SSL_set_psk_use_session_callback, SSL *ssl, ssl, q_SSL_psk_use_session_cb_func_t callback, callback, return, DUMMYARG)
@@ -856,7 +858,8 @@ bool q_resolveOpenSslSymbols()
     RESOLVEFUNC(OPENSSL_sk_value)
     RESOLVEFUNC(DH_get0_pqg)
     RESOLVEFUNC(SSL_CTX_set_options)
-
+    RESOLVEFUNC(SSL_CTX_get_security_level)
+    RESOLVEFUNC(SSL_CTX_set_security_level)
 #ifdef TLS1_3_VERSION
     RESOLVEFUNC(SSL_CTX_set_ciphersuites)
     RESOLVEFUNC(SSL_set_psk_use_session_callback)
diff --git a/src/network/ssl/qsslsocket_openssl_symbols_p.h b/src/network/ssl/qsslsocket_openssl_symbols_p.h
index 018962bcc1..c46afcf53e 100644
--- a/src/network/ssl/qsslsocket_openssl_symbols_p.h
+++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h
@@ -748,6 +748,9 @@ int q_OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
 void *q_CRYPTO_malloc(size_t num, const char *file, int line);
 #define q_OPENSSL_malloc(num) q_CRYPTO_malloc(num, "", 0)
 
+int q_SSL_CTX_get_security_level(const SSL_CTX *ctx);
+void q_SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
+
 QT_END_NAMESPACE
 
 #endif