TLS: Mark TLS 1.0, 1.1 and DTLS 1.0 deprecated

As per the best practice laid forth in RFC-8996. TLS 1.2 was recommended from 2008 until TLS 1.3 was released in 2018. [ChangeLog][QtNetwork][QSslSocket] TLS 1.0, 1.1 and DTLS 1.0 are now deprecated, as recommended by RFC-8996. Fixes: QTBUG-92880 Change-Id: I90cebcfb07cfce623af7ac9f2b66ce9d02586b54 Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
author: Mårten Nordheim <marten.nordheim@qt.io> 2021-06-18 12:46:33 +0200
committer: Mårten Nordheim <marten.nordheim@qt.io> 2021-06-25 01:30:46 +0200
commit: bb93c641a20ee7585bcf5f3e86d012d1a8f557ff (patch)
tree: ff496ddce54b446951fa6137870ab0b702f8a749 /src/plugins/tls/securetransport
parent: 664a6621fb54aaa5824ff4f3f09cbc21ecefcd3b (diff)
2 files changed, 18 insertions, 3 deletions
diff --git a/src/plugins/tls/securetransport/qtls_st.cpp b/src/plugins/tls/securetransport/qtls_st.cpp
index 6741fbc5b2..3c23d67598 100644
--- a/src/plugins/tls/securetransport/qtls_st.cpp
+++ b/src/plugins/tls/securetransport/qtls_st.cpp
@@ -439,10 +439,13 @@ QSsl::SslProtocol TlsCryptographSecureTransport::sessionProtocol() const
     }
 
     switch (protocol) {
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case kTLSProtocol1:
         return QSsl::TlsV1_0;
     case kTLSProtocol11:
         return QSsl::TlsV1_1;
+QT_WARNING_POP
     case kTLSProtocol12:
         return QSsl::TlsV1_2;
     case kTLSProtocol13:
@@ -922,6 +925,8 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
 
     OSStatus err = errSecSuccess;
 
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     if (configuration.protocol() == QSsl::TlsV1_0) {
     #ifdef QSSLSOCKET_DEBUG
         qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.0";
@@ -936,6 +941,7 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
         err = SSLSetProtocolVersionMin(context, kTLSProtocol11);
         if (err == errSecSuccess)
             err = SSLSetProtocolVersionMax(context, kTLSProtocol11);
+QT_WARNING_POP
     } else if (configuration.protocol() == QSsl::TlsV1_2) {
     #ifdef QSSLSOCKET_DEBUG
         qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2";
@@ -950,9 +956,11 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
         err = SSLSetProtocolVersionMin(context, kTLSProtocol1);
     } else if (configuration.protocol() == QSsl::SecureProtocols) {
     #ifdef QSSLSOCKET_DEBUG
-        qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1 - TLSv1.2";
+        qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2";
     #endif
-        err = SSLSetProtocolVersionMin(context, kTLSProtocol1);
+        err = SSLSetProtocolVersionMin(context, kTLSProtocol12);
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     } else if (configuration.protocol() == QSsl::TlsV1_0OrLater) {
     #ifdef QSSLSOCKET_DEBUG
         qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1 - TLSv1.2";
@@ -963,6 +971,7 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
         qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.1 - TLSv1.2";
     #endif
         err = SSLSetProtocolVersionMin(context, kTLSProtocol11);
+QT_WARNING_POP
     } else if (configuration.protocol() == QSsl::TlsV1_2OrLater) {
     #ifdef QSSLSOCKET_DEBUG
         qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2";
@@ -999,11 +1008,14 @@ bool TlsCryptographSecureTransport::verifySessionProtocol() const
     if (configuration.protocol() == QSsl::AnyProtocol)
         protocolOk = true;
     else if (configuration.protocol() == QSsl::SecureProtocols)
-        protocolOk = (sessionProtocol() >= QSsl::TlsV1_0);
+        protocolOk = (sessionProtocol() >= QSsl::TlsV1_2);
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     else if (configuration.protocol() == QSsl::TlsV1_0OrLater)
         protocolOk = (sessionProtocol() >= QSsl::TlsV1_0);
     else if (configuration.protocol() == QSsl::TlsV1_1OrLater)
         protocolOk = (sessionProtocol() >= QSsl::TlsV1_1);
+QT_WARNING_POP
     else if (configuration.protocol() == QSsl::TlsV1_2OrLater)
         protocolOk = (sessionProtocol() >= QSsl::TlsV1_2);
     else if (configuration.protocol() == QSsl::TlsV1_3OrLater)
diff --git a/src/plugins/tls/securetransport/qtlsbackend_st.cpp b/src/plugins/tls/securetransport/qtlsbackend_st.cpp
index 7fc7692350..b84faabcfa 100644
--- a/src/plugins/tls/securetransport/qtlsbackend_st.cpp
+++ b/src/plugins/tls/securetransport/qtlsbackend_st.cpp
@@ -294,10 +294,13 @@ QList<QSsl::SslProtocol> QSecureTransportBackend::supportedProtocols() const
 
     protocols << QSsl::AnyProtocol;
     protocols << QSsl::SecureProtocols;
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     protocols << QSsl::TlsV1_0;
     protocols << QSsl::TlsV1_0OrLater;
     protocols << QSsl::TlsV1_1;
     protocols << QSsl::TlsV1_1OrLater;
+QT_WARNING_POP
     protocols << QSsl::TlsV1_2;
     protocols << QSsl::TlsV1_2OrLater;
author	Mårten Nordheim <marten.nordheim@qt.io>	2021-06-18 12:46:33 +0200
committer	Mårten Nordheim <marten.nordheim@qt.io>	2021-06-25 01:30:46 +0200
commit	bb93c641a20ee7585bcf5f3e86d012d1a8f557ff (patch)
tree	ff496ddce54b446951fa6137870ab0b702f8a749 /src/plugins/tls/securetransport
parent	664a6621fb54aaa5824ff4f3f09cbc21ecefcd3b (diff)