diff options
-rw-r--r-- | src/network/doc/snippets/code/src_network_ssl_qsslconfiguration.cpp | 2 | ||||
-rw-r--r-- | src/network/ssl/qssl.h | 12 | ||||
-rw-r--r-- | src/network/ssl/qsslconfiguration.cpp | 2 | ||||
-rw-r--r-- | src/network/ssl/qsslsocket.cpp | 3 | ||||
-rw-r--r-- | src/network/ssl/qtlsbackend.cpp | 3 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qdtls_openssl.cpp | 3 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qsslcontext_openssl.cpp | 19 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qtls_openssl.cpp | 3 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qtlsbackend_openssl.cpp | 6 | ||||
-rw-r--r-- | src/plugins/tls/schannel/qtls_schannel.cpp | 22 | ||||
-rw-r--r-- | src/plugins/tls/securetransport/qtls_st.cpp | 18 | ||||
-rw-r--r-- | src/plugins/tls/securetransport/qtlsbackend_st.cpp | 3 | ||||
-rw-r--r-- | src/plugins/tls/shared/qdtls_base.cpp | 3 | ||||
-rw-r--r-- | tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp | 115 |
14 files changed, 186 insertions, 28 deletions
diff --git a/src/network/doc/snippets/code/src_network_ssl_qsslconfiguration.cpp b/src/network/doc/snippets/code/src_network_ssl_qsslconfiguration.cpp index b857a57a63..5764029751 100644 --- a/src/network/doc/snippets/code/src_network_ssl_qsslconfiguration.cpp +++ b/src/network/doc/snippets/code/src_network_ssl_qsslconfiguration.cpp @@ -50,7 +50,7 @@ //! [0] QSslConfiguration config = sslSocket.sslConfiguration(); -config.setProtocol(QSsl::TlsV1_0); +config.setProtocol(QSsl::TlsV1_2); sslSocket.setSslConfiguration(config); //! [0] diff --git a/src/network/ssl/qssl.h b/src/network/ssl/qssl.h index ba8dc16d17..e54f886074 100644 --- a/src/network/ssl/qssl.h +++ b/src/network/ssl/qssl.h @@ -73,18 +73,18 @@ namespace QSsl { }; enum SslProtocol { - TlsV1_0, - TlsV1_1, + TlsV1_0 QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."), + TlsV1_1 QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."), TlsV1_2, AnyProtocol, SecureProtocols, - TlsV1_0OrLater, - TlsV1_1OrLater, + TlsV1_0OrLater QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."), + TlsV1_1OrLater QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."), TlsV1_2OrLater, - DtlsV1_0, - DtlsV1_0OrLater, + DtlsV1_0 QT_DEPRECATED_VERSION_X_6_3("Use DtlsV1_2OrLater instead."), + DtlsV1_0OrLater QT_DEPRECATED_VERSION_X_6_3("Use DtlsV1_2OrLater instead."), DtlsV1_2, DtlsV1_2OrLater, diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp index 916774db04..9684e3477e 100644 --- a/src/network/ssl/qsslconfiguration.cpp +++ b/src/network/ssl/qsslconfiguration.cpp @@ -107,7 +107,7 @@ const char QSslConfiguration::NextProtocolHttp1_1[] = "http/1.1"; change the settings in the related SSL connection. You must call setSslConfiguration on a modified QSslConfiguration object to achieve that. The following example illustrates how to change the - protocol to TLSv1_0 in a QSslSocket object: + protocol to TLSv1_2 in a QSslSocket object: \snippet code/src_network_ssl_qsslconfiguration.cpp 0 diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp index 003bbf0787..0427365b7f 100644 --- a/src/network/ssl/qsslsocket.cpp +++ b/src/network/ssl/qsslsocket.cpp @@ -2092,6 +2092,8 @@ bool QSslSocketPrivate::verifyProtocolSupported(const char *where) // Should not be used when configuring QSslSocket. protocolName = QLatin1String("UnknownProtocol"); Q_FALLTHROUGH(); +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED case QSsl::DtlsV1_0: case QSsl::DtlsV1_2: case QSsl::DtlsV1_0OrLater: @@ -2100,6 +2102,7 @@ bool QSslSocketPrivate::verifyProtocolSupported(const char *where) setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError, QSslSocket::tr("Attempted to use an unsupported protocol.")); return false; +QT_WARNING_POP default: return true; } diff --git a/src/network/ssl/qtlsbackend.cpp b/src/network/ssl/qtlsbackend.cpp index 9733168aab..e4b7a718ef 100644 --- a/src/network/ssl/qtlsbackend.cpp +++ b/src/network/ssl/qtlsbackend.cpp @@ -808,6 +808,8 @@ QSslCipher QTlsBackend::createCiphersuite(const QString &descriptionOneLine, int QString protoString = descriptionList.at(1).toString(); ciph.d->protocolString = protoString; ciph.d->protocol = QSsl::UnknownProtocol; +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED if (protoString == QLatin1String("TLSv1")) ciph.d->protocol = QSsl::TlsV1_0; else if (protoString == QLatin1String("TLSv1.1")) @@ -816,6 +818,7 @@ QSslCipher QTlsBackend::createCiphersuite(const QString &descriptionOneLine, int ciph.d->protocol = QSsl::TlsV1_2; else if (protoString == QLatin1String("TLSv1.3")) ciph.d->protocol = QSsl::TlsV1_3; +QT_WARNING_POP if (descriptionList.at(2).startsWith(QLatin1String("Kx="))) ciph.d->keyExchangeMethod = descriptionList.at(2).mid(3).toString(); diff --git a/src/plugins/tls/openssl/qdtls_openssl.cpp b/src/plugins/tls/openssl/qdtls_openssl.cpp index 55a82f7fd4..d8b850f576 100644 --- a/src/plugins/tls/openssl/qdtls_openssl.cpp +++ b/src/plugins/tls/openssl/qdtls_openssl.cpp @@ -1421,9 +1421,12 @@ void QDtlsPrivateOpenSSL::fetchNegotiatedParameters() // TLS 1.2, that's how it's set by OpenSSL (and that's what they are?). switch (q_SSL_version(dtls.tlsConnection.data())) { +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED case DTLS1_VERSION: sessionProtocol = QSsl::DtlsV1_0; break; +QT_WARNING_POP case DTLS1_2_VERSION: sessionProtocol = QSsl::DtlsV1_2; break; diff --git a/src/plugins/tls/openssl/qsslcontext_openssl.cpp b/src/plugins/tls/openssl/qsslcontext_openssl.cpp index c0afc32e47..dae87374cb 100644 --- a/src/plugins/tls/openssl/qsslcontext_openssl.cpp +++ b/src/plugins/tls/openssl/qsslcontext_openssl.cpp @@ -102,13 +102,16 @@ long QSslContext::setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptio { long options; switch (protocol) { - case QSsl::SecureProtocols: +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED case QSsl::TlsV1_0OrLater: options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; break; case QSsl::TlsV1_1OrLater: options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1; break; +QT_WARNING_POP + case QSsl::SecureProtocols: case QSsl::TlsV1_2OrLater: options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1; break; @@ -363,8 +366,11 @@ void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mo bool isDtls = false; init_context: switch (sslContext->sslConfiguration.protocol()) { +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED case QSsl::DtlsV1_0: case QSsl::DtlsV1_0OrLater: +QT_WARNING_POP case QSsl::DtlsV1_2: case QSsl::DtlsV1_2OrLater: #if QT_CONFIG(dtls) @@ -419,6 +425,8 @@ init_context: long maxVersion = anyVersion; switch (sslContext->sslConfiguration.protocol()) { +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED case QSsl::TlsV1_0: minVersion = TLS1_VERSION; maxVersion = TLS1_VERSION; @@ -427,6 +435,7 @@ init_context: minVersion = TLS1_1_VERSION; maxVersion = TLS1_1_VERSION; break; +QT_WARNING_POP case QSsl::TlsV1_2: minVersion = TLS1_2_VERSION; maxVersion = TLS1_2_VERSION; @@ -443,7 +452,8 @@ init_context: break; // Ranges: case QSsl::AnyProtocol: - case QSsl::SecureProtocols: +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED case QSsl::TlsV1_0OrLater: minVersion = TLS1_VERSION; maxVersion = 0; @@ -452,10 +462,14 @@ init_context: minVersion = TLS1_1_VERSION; maxVersion = 0; break; +QT_WARNING_POP + case QSsl::SecureProtocols: case QSsl::TlsV1_2OrLater: minVersion = TLS1_2_VERSION; maxVersion = 0; break; +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED case QSsl::DtlsV1_0: minVersion = DTLS1_VERSION; maxVersion = DTLS1_VERSION; @@ -464,6 +478,7 @@ init_context: minVersion = DTLS1_VERSION; maxVersion = DTLS_MAX_VERSION; break; +QT_WARNING_POP case QSsl::DtlsV1_2: minVersion = DTLS1_2_VERSION; maxVersion = DTLS1_2_VERSION; diff --git a/src/plugins/tls/openssl/qtls_openssl.cpp b/src/plugins/tls/openssl/qtls_openssl.cpp index 339973f9e9..dbbd9b29a8 100644 --- a/src/plugins/tls/openssl/qtls_openssl.cpp +++ b/src/plugins/tls/openssl/qtls_openssl.cpp @@ -1159,10 +1159,13 @@ QSsl::SslProtocol TlsCryptographOpenSSL::sessionProtocol() const const int ver = q_SSL_version(ssl); switch (ver) { +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED case 0x301: return QSsl::TlsV1_0; case 0x302: return QSsl::TlsV1_1; +QT_WARNING_POP case 0x303: return QSsl::TlsV1_2; case 0x304: diff --git a/src/plugins/tls/openssl/qtlsbackend_openssl.cpp b/src/plugins/tls/openssl/qtlsbackend_openssl.cpp index 7711f66bb5..0f364929b3 100644 --- a/src/plugins/tls/openssl/qtlsbackend_openssl.cpp +++ b/src/plugins/tls/openssl/qtlsbackend_openssl.cpp @@ -291,10 +291,13 @@ QList<QSsl::SslProtocol> QTlsBackendOpenSSL::supportedProtocols() const protocols << QSsl::AnyProtocol; protocols << QSsl::SecureProtocols; +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED protocols << QSsl::TlsV1_0; protocols << QSsl::TlsV1_0OrLater; protocols << QSsl::TlsV1_1; protocols << QSsl::TlsV1_1OrLater; +QT_WARNING_POP protocols << QSsl::TlsV1_2; protocols << QSsl::TlsV1_2OrLater; @@ -304,8 +307,11 @@ QList<QSsl::SslProtocol> QTlsBackendOpenSSL::supportedProtocols() const #endif // TLS1_3_VERSION #if QT_CONFIG(dtls) +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED protocols << QSsl::DtlsV1_0; protocols << QSsl::DtlsV1_0OrLater; +QT_WARNING_POP protocols << QSsl::DtlsV1_2; protocols << QSsl::DtlsV1_2OrLater; #endif // dtls diff --git a/src/plugins/tls/schannel/qtls_schannel.cpp b/src/plugins/tls/schannel/qtls_schannel.cpp index 9973f3ed0e..d1eec00234 100644 --- a/src/plugins/tls/schannel/qtls_schannel.cpp +++ b/src/plugins/tls/schannel/qtls_schannel.cpp @@ -176,8 +176,11 @@ QList<QSslCipher> defaultCiphers() // @temp (I hope), stolen from qsslsocket_winrt.cpp const QString protocolStrings[] = { QStringLiteral("TLSv1"), QStringLiteral("TLSv1.1"), QStringLiteral("TLSv1.2"), QStringLiteral("TLSv1.3") }; +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED const QSsl::SslProtocol protocols[] = { QSsl::TlsV1_0, QSsl::TlsV1_1, QSsl::TlsV1_2, QSsl::TlsV1_3 }; +QT_WARNING_POP const int size = ARRAYSIZE(protocols); static_assert(size == ARRAYSIZE(protocolStrings)); ciphers.reserve(size); @@ -264,10 +267,13 @@ QList<QSsl::SslProtocol> QSchannelBackend::supportedProtocols() const protocols << QSsl::AnyProtocol; protocols << QSsl::SecureProtocols; +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED protocols << QSsl::TlsV1_0; protocols << QSsl::TlsV1_0OrLater; protocols << QSsl::TlsV1_1; protocols << QSsl::TlsV1_1OrLater; +QT_WARNING_POP protocols << QSsl::TlsV1_2; protocols << QSsl::TlsV1_2OrLater; @@ -430,9 +436,12 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol) switch (protocol) { case QSsl::UnknownProtocol: return DWORD(-1); +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED case QSsl::DtlsV1_0: - case QSsl::DtlsV1_2: case QSsl::DtlsV1_0OrLater: +QT_WARNING_POP + case QSsl::DtlsV1_2: case QSsl::DtlsV1_2OrLater: return DWORD(-1); // Not supported at the moment (@future) case QSsl::AnyProtocol: @@ -440,12 +449,15 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol) if (supportsTls13()) protocols |= SP_PROT_TLS1_3; break; +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED case QSsl::TlsV1_0: protocols = SP_PROT_TLS1_0; break; case QSsl::TlsV1_1: protocols = SP_PROT_TLS1_1; break; +QT_WARNING_POP case QSsl::TlsV1_2: protocols = SP_PROT_TLS1_2; break; @@ -455,7 +467,8 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol) else protocols = DWORD(-1); break; - case QSsl::SecureProtocols: // TLS v1.0 and later is currently considered secure +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED case QSsl::TlsV1_0OrLater: // For the "OrLater" protocols we fall through from one to the next, adding all of them // in ascending order @@ -464,6 +477,8 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol) case QSsl::TlsV1_1OrLater: protocols |= SP_PROT_TLS1_1; Q_FALLTHROUGH(); +QT_WARNING_POP + case QSsl::SecureProtocols: // TLS v1.2 and later is currently considered secure case QSsl::TlsV1_2OrLater: protocols |= SP_PROT_TLS1_2; Q_FALLTHROUGH(); @@ -504,8 +519,11 @@ QSsl::SslProtocol toQtSslProtocol(DWORD protocol) return q_protocol; \ } +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED MAP_PROTOCOL(SP_PROT_TLS1_0, QSsl::TlsV1_0) MAP_PROTOCOL(SP_PROT_TLS1_1, QSsl::TlsV1_1) +QT_WARNING_POP MAP_PROTOCOL(SP_PROT_TLS1_2, QSsl::TlsV1_2) MAP_PROTOCOL(SP_PROT_TLS1_3, QSsl::TlsV1_3) #undef MAP_PROTOCOL diff --git a/src/plugins/tls/securetransport/qtls_st.cpp b/src/plugins/tls/securetransport/qtls_st.cpp index 6741fbc5b2..3c23d67598 100644 --- a/src/plugins/tls/securetransport/qtls_st.cpp +++ b/src/plugins/tls/securetransport/qtls_st.cpp @@ -439,10 +439,13 @@ QSsl::SslProtocol TlsCryptographSecureTransport::sessionProtocol() const } switch (protocol) { +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED case kTLSProtocol1: return QSsl::TlsV1_0; case kTLSProtocol11: return QSsl::TlsV1_1; +QT_WARNING_POP case kTLSProtocol12: return QSsl::TlsV1_2; case kTLSProtocol13: @@ -922,6 +925,8 @@ bool TlsCryptographSecureTransport::setSessionProtocol() OSStatus err = errSecSuccess; +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED if (configuration.protocol() == QSsl::TlsV1_0) { #ifdef QSSLSOCKET_DEBUG qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.0"; @@ -936,6 +941,7 @@ bool TlsCryptographSecureTransport::setSessionProtocol() err = SSLSetProtocolVersionMin(context, kTLSProtocol11); if (err == errSecSuccess) err = SSLSetProtocolVersionMax(context, kTLSProtocol11); +QT_WARNING_POP } else if (configuration.protocol() == QSsl::TlsV1_2) { #ifdef QSSLSOCKET_DEBUG qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2"; @@ -950,9 +956,11 @@ bool TlsCryptographSecureTransport::setSessionProtocol() err = SSLSetProtocolVersionMin(context, kTLSProtocol1); } else if (configuration.protocol() == QSsl::SecureProtocols) { #ifdef QSSLSOCKET_DEBUG - qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1 - TLSv1.2"; + qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2"; #endif - err = SSLSetProtocolVersionMin(context, kTLSProtocol1); + err = SSLSetProtocolVersionMin(context, kTLSProtocol12); +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED } else if (configuration.protocol() == QSsl::TlsV1_0OrLater) { #ifdef QSSLSOCKET_DEBUG qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1 - TLSv1.2"; @@ -963,6 +971,7 @@ bool TlsCryptographSecureTransport::setSessionProtocol() qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.1 - TLSv1.2"; #endif err = SSLSetProtocolVersionMin(context, kTLSProtocol11); +QT_WARNING_POP } else if (configuration.protocol() == QSsl::TlsV1_2OrLater) { #ifdef QSSLSOCKET_DEBUG qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2"; @@ -999,11 +1008,14 @@ bool TlsCryptographSecureTransport::verifySessionProtocol() const if (configuration.protocol() == QSsl::AnyProtocol) protocolOk = true; else if (configuration.protocol() == QSsl::SecureProtocols) - protocolOk = (sessionProtocol() >= QSsl::TlsV1_0); + protocolOk = (sessionProtocol() >= QSsl::TlsV1_2); +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED else if (configuration.protocol() == QSsl::TlsV1_0OrLater) protocolOk = (sessionProtocol() >= QSsl::TlsV1_0); else if (configuration.protocol() == QSsl::TlsV1_1OrLater) protocolOk = (sessionProtocol() >= QSsl::TlsV1_1); +QT_WARNING_POP else if (configuration.protocol() == QSsl::TlsV1_2OrLater) protocolOk = (sessionProtocol() >= QSsl::TlsV1_2); else if (configuration.protocol() == QSsl::TlsV1_3OrLater) diff --git a/src/plugins/tls/securetransport/qtlsbackend_st.cpp b/src/plugins/tls/securetransport/qtlsbackend_st.cpp index 7fc7692350..b84faabcfa 100644 --- a/src/plugins/tls/securetransport/qtlsbackend_st.cpp +++ b/src/plugins/tls/securetransport/qtlsbackend_st.cpp @@ -294,10 +294,13 @@ QList<QSsl::SslProtocol> QSecureTransportBackend::supportedProtocols() const protocols << QSsl::AnyProtocol; protocols << QSsl::SecureProtocols; +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED protocols << QSsl::TlsV1_0; protocols << QSsl::TlsV1_0OrLater; protocols << QSsl::TlsV1_1; protocols << QSsl::TlsV1_1OrLater; +QT_WARNING_POP protocols << QSsl::TlsV1_2; protocols << QSsl::TlsV1_2OrLater; diff --git a/src/plugins/tls/shared/qdtls_base.cpp b/src/plugins/tls/shared/qdtls_base.cpp index 6a5979eb9e..b27cac11d5 100644 --- a/src/plugins/tls/shared/qdtls_base.cpp +++ b/src/plugins/tls/shared/qdtls_base.cpp @@ -99,8 +99,11 @@ QDtlsBasePrivate::cookieGeneratorParameters() const bool QDtlsBasePrivate::isDtlsProtocol(QSsl::SslProtocol protocol) { switch (protocol) { +QT_WARNING_PUSH +QT_WARNING_DISABLE_DEPRECATED case QSsl::DtlsV1_0: case QSsl::DtlsV1_0OrLater: +QT_WARNING_POP case QSsl::DtlsV1_2: case QSsl::DtlsV1_2OrLater: return true; diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp index d37a062bfe..475217b046 100644 --- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp +++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp @@ -825,6 +825,13 @@ void tst_QSslSocket::simpleConnect() return; QSslSocket socket; + + // Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above + // QTQAINFRA-4499 + QSslConfiguration config = socket.sslConfiguration(); + config.setProtocol(QSsl::TlsV1_0OrLater); + socket.setSslConfiguration(config); + QSignalSpy connectedSpy(&socket, SIGNAL(connected())); QSignalSpy hostFoundSpy(&socket, SIGNAL(hostFound())); QSignalSpy disconnectedSpy(&socket, SIGNAL(disconnected())); @@ -887,6 +894,12 @@ void tst_QSslSocket::simpleConnectWithIgnore() QSignalSpy encryptedSpy(&socket, SIGNAL(encrypted())); QSignalSpy sslErrorsSpy(&socket, SIGNAL(sslErrors(QList<QSslError>))); + // Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above + // QTQAINFRA-4499 + QSslConfiguration config = socket.sslConfiguration(); + config.setProtocol(QSsl::TlsV1_0OrLater); + socket.setSslConfiguration(config); + connect(&socket, SIGNAL(readyRead()), this, SLOT(exitLoop())); connect(&socket, SIGNAL(encrypted()), this, SLOT(exitLoop())); connect(&socket, SIGNAL(connected()), this, SLOT(exitLoop())); @@ -936,10 +949,12 @@ void tst_QSslSocket::sslErrors() QFETCH(int, port); QSslSocketPtr socket = newSocket(); - if (isTestingSchannel) { - // Needs to be < 1.2 because of the old certificate and <= 1.0 because of the mail server - socket->setProtocol(QSsl::SslProtocol::TlsV1_0); - } + + // Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above + // QTQAINFRA-4499 + QSslConfiguration config = socket->sslConfiguration(); + config.setProtocol(QSsl::TlsV1_0OrLater); + socket->setSslConfiguration(config); QSignalSpy sslErrorsSpy(socket.data(), SIGNAL(sslErrors(QList<QSslError>))); QSignalSpy peerVerifyErrorSpy(socket.data(), SIGNAL(peerVerifyError(QSslError))); @@ -1438,7 +1453,7 @@ public: config(QSslConfiguration::defaultConfiguration()), ignoreSslErrors(true), peerVerifyMode(QSslSocket::AutoVerifyPeer), - protocol(QSsl::TlsV1_0), + protocol(QSsl::SecureProtocols), m_keyFile(keyFile), m_certFile(certFile), m_interFile(interFile) @@ -1460,6 +1475,7 @@ signals: void handshakeInterruptedOnError(const QSslError& rrror); void gotAlert(QSsl::AlertLevel level, QSsl::AlertType type, const QString &message); void alertSent(QSsl::AlertLevel level, QSsl::AlertType type, const QString &message); + void socketEncrypted(QSslSocket *); protected: void incomingConnection(qintptr socketDescriptor) override @@ -1477,6 +1493,7 @@ protected: connect(socket, &QSslSocket::alertReceived, this, &SslServer::gotAlert); connect(socket, &QSslSocket::alertSent, this, &SslServer::alertSent); connect(socket, &QSslSocket::preSharedKeyAuthenticationRequired, this, &SslServer::preSharedKeyAuthenticationRequired); + connect(socket, &QSslSocket::encrypted, this, [this](){ emit socketEncrypted(socket); }); QFile file(m_keyFile); QVERIFY(file.open(QIODevice::ReadOnly)); @@ -1545,10 +1562,10 @@ void tst_QSslSocket::protocolServerSide_data() QTest::newRow("any-any") << QSsl::AnyProtocol << QSsl::AnyProtocol << true; QTest::newRow("secure-secure") << QSsl::SecureProtocols << QSsl::SecureProtocols << true; - QTest::newRow("tls1.0-secure") << QSsl::TlsV1_0 << QSsl::SecureProtocols << true; + QTest::newRow("tls1.0-secure") << QSsl::TlsV1_0 << QSsl::SecureProtocols << false; QTest::newRow("tls1.0-any") << QSsl::TlsV1_0 << QSsl::AnyProtocol << true; - QTest::newRow("secure-tls1.0") << QSsl::SecureProtocols << QSsl::TlsV1_0 << true; + QTest::newRow("secure-tls1.0") << QSsl::SecureProtocols << QSsl::TlsV1_0 << false; QTest::newRow("secure-any") << QSsl::SecureProtocols << QSsl::AnyProtocol << true; QTest::newRow("tls1.0orlater-tls1.0") << QSsl::TlsV1_0OrLater << QSsl::TlsV1_0 << true; @@ -1646,6 +1663,7 @@ void tst_QSslSocket::serverCipherPreferences() // First using the default (server preference) { SslServer server; + server.protocol = QSsl::TlsV1_0; server.ciphers = {QSslCipher("AES128-SHA"), QSslCipher("AES256-SHA")}; QVERIFY(server.listen()); @@ -1656,6 +1674,7 @@ void tst_QSslSocket::serverCipherPreferences() socket = &client; auto sslConfig = socket->sslConfiguration(); + sslConfig.setProtocol(QSsl::TlsV1_0OrLater); sslConfig.setCiphers({QSslCipher("AES256-SHA"), QSslCipher("AES128-SHA")}); socket->setSslConfiguration(sslConfig); @@ -1678,6 +1697,7 @@ void tst_QSslSocket::serverCipherPreferences() QSslConfiguration config = QSslConfiguration::defaultConfiguration(); config.setSslOption(QSsl::SslOptionDisableServerCipherPreference, true); server.config = config; + server.protocol = QSsl::TlsV1_0OrLater; server.ciphers = {QSslCipher("AES128-SHA"), QSslCipher("AES256-SHA")}; QVERIFY(server.listen()); @@ -1688,6 +1708,7 @@ void tst_QSslSocket::serverCipherPreferences() socket = &client; auto sslConfig = socket->sslConfiguration(); + sslConfig.setProtocol(QSsl::TlsV1_0); sslConfig.setCiphers({QSslCipher("AES256-SHA"), QSslCipher("AES128-SHA")}); socket->setSslConfiguration(sslConfig); @@ -1934,6 +1955,12 @@ void tst_QSslSocket::waitForConnectedEncryptedReadyRead() QSslSocketPtr socket = newSocket(); this->socket = socket.data(); + // Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above + // QTQAINFRA-4499 + QSslConfiguration config = socket->sslConfiguration(); + config.setProtocol(QSsl::TlsV1_0OrLater); + socket->setSslConfiguration(config); + connect(this->socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot())); socket->connectToHostEncrypted(QtNetworkSettings::imapServerName(), 993); @@ -2212,8 +2239,17 @@ void tst_QSslSocket::spontaneousWrite() receiver->startClientEncryption(); // SSL handshake: - connect(receiver, SIGNAL(encrypted()), SLOT(exitLoop())); + // Need to wait for both sides to emit encrypted as the ordering of which + // ones emits encrypted() changes depending on whether we use TLS 1.2 or 1.3 + int waitFor = 2; + auto earlyQuitter = [&waitFor]() { + if (!--waitFor) + exitLoop(); + }; + connect(receiver, &QSslSocket::encrypted, this, earlyQuitter); + connect(sender, &QSslSocket::encrypted, this, earlyQuitter); enterLoop(1); + QVERIFY(!timeout()); QVERIFY(sender->isEncrypted()); QVERIFY(receiver->isEncrypted()); @@ -2256,9 +2292,21 @@ void tst_QSslSocket::setReadBufferSize() receiver->ignoreSslErrors(); receiver->startClientEncryption(); - // SSL handshake: - connect(receiver, SIGNAL(encrypted()), SLOT(exitLoop())); + // Need to wait for both sides to emit encrypted as the ordering of which + // ones emits encrypted() changes depending on whether we use TLS 1.2 or 1.3 + int waitFor = 2; + auto earlyQuitter = [&waitFor]() { + if (!--waitFor) + exitLoop(); + }; + connect(receiver, &QSslSocket::encrypted, this, earlyQuitter); + connect(sender, &QSslSocket::encrypted, this, earlyQuitter); + enterLoop(1); + if (!sender->isEncrypted()) { + connect(sender, &QSslSocket::encrypted, this, &tst_QSslSocket::exitLoop); + enterLoop(1); + } QVERIFY(!timeout()); QVERIFY(sender->isEncrypted()); QVERIFY(receiver->isEncrypted()); @@ -3082,6 +3130,12 @@ void tst_QSslSocket::resume() QSslSocket socket; socket.setPauseMode(QAbstractSocket::PauseOnSslErrors); + // Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above + // QTQAINFRA-4499 + QSslConfiguration config = socket.sslConfiguration(); + config.setProtocol(QSsl::TlsV1_0OrLater); + socket.setSslConfiguration(config); + QSignalSpy sslErrorSpy(&socket, SIGNAL(sslErrors(QList<QSslError>))); QSignalSpy encryptedSpy(&socket, SIGNAL(encrypted())); QSignalSpy errorSpy(&socket, SIGNAL(errorOccurred(QAbstractSocket::SocketError))); @@ -3414,6 +3468,7 @@ void tst_QSslSocket::dhServerCustomParamsNull() SslServer server; server.ciphers = {QSslCipher("DHE-RSA-AES256-SHA"), QSslCipher("DHE-DSS-AES256-SHA")}; + server.protocol = QSsl::TlsV1_0; QSslConfiguration cfg = server.config; cfg.setDiffieHellmanParameters(QSslDiffieHellmanParameters()); @@ -3425,6 +3480,9 @@ void tst_QSslSocket::dhServerCustomParamsNull() QTimer::singleShot(5000, &loop, SLOT(quit())); QSslSocket client; + QSslConfiguration config = client.sslConfiguration(); + config.setProtocol(QSsl::TlsV1_0); + client.setSslConfiguration(config); socket = &client; connect(socket, SIGNAL(errorOccurred(QAbstractSocket::SocketError)), &loop, SLOT(quit())); connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot())); @@ -3606,6 +3664,7 @@ void tst_QSslSocket::verifyClientCertificate() } SslServer server; + server.protocol = QSsl::TlsV1_0; server.addCaCertificates = testDataDir + "certs/bogus-ca.crt"; server.ignoreSslErrors = false; server.peerVerifyMode = peerVerifyMode; @@ -3619,6 +3678,9 @@ void tst_QSslSocket::verifyClientCertificate() QSslSocket client; client.setLocalCertificateChain(clientCerts); client.setPrivateKey(clientKey); + QSslConfiguration config = client.sslConfiguration(); + config.setProtocol(QSsl::TlsV1_0OrLater); + client.setSslConfiguration(config); socket = &client; connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot())); @@ -3696,11 +3758,19 @@ void tst_QSslSocket::readBufferMaxSize() socket = client.data(); connect(socket, SIGNAL(errorOccurred(QAbstractSocket::SocketError)), &loop, SLOT(quit())); connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot())); - connect(socket, SIGNAL(encrypted()), &loop, SLOT(quit())); client->connectToHostEncrypted(QHostAddress(QHostAddress::LocalHost).toString(), server.serverPort()); + int waitFor = 2; + auto earlyQuitter = [&loop, &waitFor]() { + if (!--waitFor) + loop.exit(); + }; + + connect(socket, &QSslSocket::encrypted, &loop, earlyQuitter); + connect(&server, &SslServer::socketEncrypted, &loop, earlyQuitter); + // Wait for 'encrypted' first: QTimer::singleShot(5000, &loop, SLOT(quit())); loop.exec(); @@ -3786,7 +3856,17 @@ void tst_QSslSocket::allowedProtocolNegotiation() QEventLoop loop; QTimer::singleShot(5000, &loop, SLOT(quit())); - connect(&clientSocket, SIGNAL(encrypted()), &loop, SLOT(quit())); + + // Need to wait for both sides to emit encrypted as the ordering of which + // ones emits encrypted() changes depending on whether we use TLS 1.2 or 1.3 + int waitFor = 2; + auto earlyQuitter = [&loop, &waitFor]() { + if (!--waitFor) + loop.exit(); + }; + connect(&clientSocket, &QSslSocket::encrypted, &loop, earlyQuitter); + connect(server.socket, &QSslSocket::encrypted, &loop, earlyQuitter); + loop.exec(); QVERIFY(server.socket->sslConfiguration().nextNegotiatedProtocol() == @@ -3852,7 +3932,7 @@ public: config(QSslConfiguration::defaultConfiguration()), ignoreSslErrors(true), peerVerifyMode(QSslSocket::AutoVerifyPeer), - protocol(QSsl::TlsV1_0), + protocol(QSsl::TlsV1_2), m_pskProvider() { m_pskProvider.m_server = true; @@ -4622,6 +4702,15 @@ void tst_QSslSocket::alertMissingCertificate() runner.enterLoopMSecs(1000); + if (clientSocket.isEncrypted()) { + // When using TLS 1.3 the client side thinks it is connected very + // quickly, before the server has finished processing. So wait for the + // inevitable disconnect. + QCOMPARE(clientSocket.sessionProtocol(), QSsl::TlsV1_3); + connect(&clientSocket, &QSslSocket::disconnected, &runner, &QTestEventLoop::exitLoop); + runner.enterLoopMSecs(10000); + } + QVERIFY(serverSpy.count() > 0); QVERIFY(clientSpy.count() > 0); QVERIFY(server.socket && !server.socket->isEncrypted()); |