Ensure weak ciphers are not part of the default SSL configuration.

Any cipher that is < 128 bits is excluded from the default SSL
configuration. These ciphers are still included in the list
of availableCiphers() and can be used by applications if required.
Calling QSslSocket::setDefaultCiphers(QSslSocket::availableCiphers())
will restore the old behavior.

Note that in doing so I spotted that calling defaultCiphers() before
doing other actions with SSL had an existing bug that I've addressed
as part of the change.

[ChangeLog][Important Behavior Changes] The default set of
ciphers used by QSslSocket has been changed to exclude ciphers that are
using key lengths smaller than 128 bits. These ciphers are still available
and can be enabled by applications if required.

Change-Id: If2241dda67b624e5febf788efa1369f38c6b1dba
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

1 files changed, 17 insertions, 5 deletions

diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
index 82543fbc91..3162165139 100644
--- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
@@ -589,13 +589,13 @@ void tst_QSslSocket::ciphers()
         return;
 
     QSslSocket socket;
-    QCOMPARE(socket.ciphers(), QSslSocket::supportedCiphers());
+    QCOMPARE(socket.ciphers(), QSslSocket::defaultCiphers());
     socket.setCiphers(QList<QSslCipher>());
     QVERIFY(socket.ciphers().isEmpty());
     socket.setCiphers(socket.defaultCiphers());
-    QCOMPARE(socket.ciphers(), QSslSocket::supportedCiphers());
+    QCOMPARE(socket.ciphers(), QSslSocket::defaultCiphers());
     socket.setCiphers(socket.defaultCiphers());
-    QCOMPARE(socket.ciphers(), QSslSocket::supportedCiphers());
+    QCOMPARE(socket.ciphers(), QSslSocket::defaultCiphers());
 
     // Task 164356
     socket.setCiphers("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
@@ -678,6 +678,11 @@ void tst_QSslSocket::sessionCipher()
     if (!socket->waitForEncrypted(5000))
         QSKIP("Skipping flaky test - See QTBUG-29941");
     QVERIFY(!socket->sessionCipher().isNull());
+
+    qDebug() << "Supported Ciphers:" << QSslSocket::supportedCiphers();
+    qDebug() << "Default Ciphers:" << QSslSocket::defaultCiphers();
+    qDebug() << "Session Cipher:" << socket->sessionCipher();
+
     QVERIFY(QSslSocket::supportedCiphers().contains(socket->sessionCipher()));
     socket->disconnectFromHost();
     QVERIFY(socket->waitForDisconnected());
@@ -1386,6 +1391,15 @@ void tst_QSslSocket::defaultCaCertificates()
 
 void tst_QSslSocket::defaultCiphers()
 {
+    if (!QSslSocket::supportsSsl())
+        return;
+
+    QList<QSslCipher> ciphers = QSslSocket::defaultCiphers();
+    QVERIFY(ciphers.size() > 1);
+
+    QSslSocket socket;
+    QCOMPARE(socket.defaultCiphers(), ciphers);
+    QCOMPARE(socket.ciphers(), ciphers);
 }
 
 void tst_QSslSocket::resetDefaultCiphers()
@@ -1410,8 +1424,6 @@ void tst_QSslSocket::supportedCiphers()
 
     QSslSocket socket;
     QCOMPARE(socket.supportedCiphers(), ciphers);
-    QCOMPARE(socket.defaultCiphers(), ciphers);
-    QCOMPARE(socket.ciphers(), ciphers);
 }
 
 void tst_QSslSocket::systemCaCertificates()