diff options
author | Richard J. Moore <rich@kde.org> | 2015-04-18 11:34:26 +0100 |
---|---|---|
committer | Richard J. Moore <rich@kde.org> | 2015-04-25 12:10:50 +0000 |
commit | 00f0a4119c2eeec2c2bee1bfbde7b8653d7b7aa9 (patch) | |
tree | e6729226f2d0fa86274a1ae3e560f4a35c7781dd /src/network | |
parent | 7b97f53e71bb7f290be2395d68bd166d2a18e596 (diff) |
Add the ability to prefer the cipher preferences specified by the server.
Currently the cipher preferred by the client will always be used for SSL
connections. This change makes it so that by default the ciphers
specified by the server will be used (like the Apache SSLHonorCipherOrder
option). This behavior can be disabled using a new SslOption.
[ChangeLog][QtNetwork][QSslSocket] QSslSocket will now default to using
the cipher preferences of the server socket when used as an SSL server.
This can be disabled using the QSslConfiguration.
Change-Id: I2d16d10145cf88a7412f30ef960d87024777de1c
Reviewed-by: Peter Hartmann <peter-qt@hartmann.tk>
Diffstat (limited to 'src/network')
-rw-r--r-- | src/network/ssl/qssl.cpp | 4 | ||||
-rw-r--r-- | src/network/ssl/qssl.h | 3 | ||||
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 3 |
3 files changed, 9 insertions, 1 deletions
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp index 26381fcb8e..84aa9d7dca 100644 --- a/src/network/ssl/qssl.cpp +++ b/src/network/ssl/qssl.cpp @@ -166,6 +166,10 @@ Q_LOGGING_CATEGORY(lcSsl, "qt.network.ssl"); in ASN.1 format as returned by QSslConfiguration::sessionTicket(). Enabling this feature adds memory overhead of approximately 1K per used session ticket. + \value SslOptionDisableServerCipherPreference Disables selecting the cipher + chosen based on the servers preferences rather than the order ciphers were + sent by the client. This option is only relevant to server sockets, and is + only honored by the OpenSSL backend. By default, SslOptionDisableEmptyFragments is turned on since this causes problems with a large number of servers. SslOptionDisableLegacyRenegotiation diff --git a/src/network/ssl/qssl.h b/src/network/ssl/qssl.h index f56c36b219..03497ecf76 100644 --- a/src/network/ssl/qssl.h +++ b/src/network/ssl/qssl.h @@ -95,7 +95,8 @@ namespace QSsl { SslOptionDisableServerNameIndication = 0x08, SslOptionDisableLegacyRenegotiation = 0x10, SslOptionDisableSessionSharing = 0x20, - SslOptionDisableSessionPersistence = 0x40 + SslOptionDisableSessionPersistence = 0x40, + SslOptionDisableServerCipherPreference = 0x80 }; Q_DECLARE_FLAGS(SslOptions, SslOption) } diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 954c11d1f0..55762c94c7 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -344,6 +344,9 @@ long QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SslProtocol protocol, Q options |= SSL_OP_NO_COMPRESSION; #endif + if (!(sslOptions & QSsl::SslOptionDisableServerCipherPreference)) + options |= SSL_OP_CIPHER_SERVER_PREFERENCE; + return options; } |