diff options
| author | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2020-09-09 08:37:54 +0200 |
|---|---|---|
| committer | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2020-09-12 05:36:08 +0200 |
| commit | 605d2163f1dcd7e1ad701ade913cb476b91865b1 (patch) | |
| tree | 9db599aad23ae70761246dc104f340cb897a82b6 /src | |
| parent | 5bb4baae0379d5903f547f0399be9620f5ab06a0 (diff) | |
QSsl: workaround a 'very secure' OpenSSL version (CentOS 8.x et al)
CentOS it seems not only backported some OpenSSL 3 functions,
but also raised the default security level to 2, making some of
our keys (and MDs?) 'too weak' and failing auto-tests here and
there as a result. For our auto-test we lower the level to 1,
as it is expected to be.
Fixes: QTBUG-86336
Pick-to: 5.15
Change-Id: I7062a1b292e8b60eb9c2b2e82bd002f09f9da603
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
Diffstat (limited to 'src')
| -rw-r--r-- | src/network/ssl/qsslcontext_openssl.cpp | 11 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_openssl_symbols.cpp | 4 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_openssl_symbols_p.h | 3 |
3 files changed, 18 insertions, 0 deletions
diff --git a/src/network/ssl/qsslcontext_openssl.cpp b/src/network/ssl/qsslcontext_openssl.cpp index 6eed354b9e..5fb7172583 100644 --- a/src/network/ssl/qsslcontext_openssl.cpp +++ b/src/network/ssl/qsslcontext_openssl.cpp @@ -54,6 +54,13 @@ QT_BEGIN_NAMESPACE +Q_GLOBAL_STATIC(bool, forceSecurityLevel) + +Q_NETWORK_EXPORT void qt_ForceTlsSecurityLevel() +{ + *forceSecurityLevel() = true; +} + // defined in qsslsocket_openssl.cpp: extern int q_X509Callback(int ok, X509_STORE_CTX *ctx); extern "C" int q_X509CallbackDirect(int ok, X509_STORE_CTX *ctx); @@ -334,6 +341,10 @@ init_context: return; } + // A nasty hacked OpenSSL using a level that will make our auto-tests fail: + if (q_SSL_CTX_get_security_level(sslContext->ctx) > 1 && *forceSecurityLevel()) + q_SSL_CTX_set_security_level(sslContext->ctx, 1); + const long anyVersion = #if QT_CONFIG(dtls) isDtls ? DTLS_ANY_VERSION : TLS_ANY_VERSION; diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp index 81637cf0cc..9396516670 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols.cpp +++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp @@ -164,6 +164,8 @@ using info_callback = void (*) (const SSL *ssl, int type, int val); DEFINEFUNC2(void, SSL_set_info_callback, SSL *ssl, ssl, info_callback cb, cb, return, return) DEFINEFUNC(const char *, SSL_alert_type_string, int value, value, return nullptr, return) DEFINEFUNC(const char *, SSL_alert_desc_string_long, int value, value, return nullptr, return) +DEFINEFUNC(int, SSL_CTX_get_security_level, const SSL_CTX *ctx, ctx, return -1, return) +DEFINEFUNC2(void, SSL_CTX_set_security_level, SSL_CTX *ctx, ctx, int level, level, return, return) #ifdef TLS1_3_VERSION DEFINEFUNC2(int, SSL_CTX_set_ciphersuites, SSL_CTX *ctx, ctx, const char *str, str, return 0, return) DEFINEFUNC2(void, SSL_set_psk_use_session_callback, SSL *ssl, ssl, q_SSL_psk_use_session_cb_func_t callback, callback, return, DUMMYARG) @@ -865,6 +867,8 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(SSL_set_info_callback) RESOLVEFUNC(SSL_alert_type_string) RESOLVEFUNC(SSL_alert_desc_string_long) + RESOLVEFUNC(SSL_CTX_get_security_level) + RESOLVEFUNC(SSL_CTX_set_security_level) #ifdef TLS1_3_VERSION RESOLVEFUNC(SSL_CTX_set_ciphersuites) RESOLVEFUNC(SSL_set_psk_use_session_callback) diff --git a/src/network/ssl/qsslsocket_openssl_symbols_p.h b/src/network/ssl/qsslsocket_openssl_symbols_p.h index 744e5e34f9..9f54efddaa 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols_p.h +++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h @@ -753,6 +753,9 @@ void q_SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int const char *q_SSL_alert_type_string(int value); const char *q_SSL_alert_desc_string_long(int value); +int q_SSL_CTX_get_security_level(const SSL_CTX *ctx); +void q_SSL_CTX_set_security_level(SSL_CTX *ctx, int level); + QT_END_NAMESPACE #endif |