1 files changed, 170 insertions, 171 deletions
diff --git a/src/plugins/tls/securetransport/qtls_st.cpp b/src/plugins/tls/securetransport/qtls_st.cpp
index 306f184f25..48b7f3364f 100644
--- a/src/plugins/tls/securetransport/qtls_st.cpp
+++ b/src/plugins/tls/securetransport/qtls_st.cpp
@@ -1,42 +1,6 @@
-/****************************************************************************
-**
-** Copyright (C) 2021 The Qt Company Ltd.
-** Copyright (C) 2014 Jeremy Lainé <jeremy.laine@m4x.org>
-** Contact: https://www.qt.io/licensing/
-**
-** This file is part of the QtNetwork module of the Qt Toolkit.
-**
-** $QT_BEGIN_LICENSE:LGPL$
-** Commercial License Usage
-** Licensees holding valid commercial Qt licenses may use this file in
-** accordance with the commercial license agreement provided with the
-** Software or, alternatively, in accordance with the terms contained in
-** a written agreement between you and The Qt Company. For licensing terms
-** and conditions see https://www.qt.io/terms-conditions. For further
-** information use the contact form at https://www.qt.io/contact-us.
-**
-** GNU Lesser General Public License Usage
-** Alternatively, this file may be used under the terms of the GNU Lesser
-** General Public License version 3 as published by the Free Software
-** Foundation and appearing in the file LICENSE.LGPL3 included in the
-** packaging of this file. Please review the following information to
-** ensure the GNU Lesser General Public License version 3 requirements
-** will be met: https://www.gnu.org/licenses/lgpl-3.0.html.
-**
-** GNU General Public License Usage
-** Alternatively, this file may be used under the terms of the GNU
-** General Public License version 2.0 or (at your option) the GNU General
-** Public license version 3 or any later version approved by the KDE Free
-** Qt Foundation. The licenses are as published by the Free Software
-** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3
-** included in the packaging of this file. Please review the following
-** information to ensure the GNU General Public License requirements will
-** be met: https://www.gnu.org/licenses/gpl-2.0.html and
-** https://www.gnu.org/licenses/gpl-3.0.html.
-**
-** $QT_END_LICENSE$
-**
-****************************************************************************/
+// Copyright (C) 2021 The Qt Company Ltd.
+// Copyright (C) 2014 Jeremy Lainé <jeremy.laine@m4x.org>
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
 
 #include "qtls_st_p.h"
 #include "qtlsbackend_st_p.h"
@@ -76,6 +40,8 @@
 
 QT_BEGIN_NAMESPACE
 
+using namespace Qt::StringLiterals;
+
 // Defined in qsslsocket_qt.cpp.
 QByteArray _q_makePkcs12(const QList<QSslCertificate> &certs, const QSslKey &key,
                          const QString &passPhrase);
@@ -109,7 +75,7 @@ EphemeralSecKeychain::EphemeralSecKeychain()
 {
     const auto uuid = QUuid::createUuid();
     if (uuid.isNull()) {
-        qCWarning(lcTlsBackend) << "Failed to create a unique keychain name";
+        qCWarning(lcSecureTransport) << "Failed to create a unique keychain name";
         return;
     }
 
@@ -117,10 +83,10 @@ EphemeralSecKeychain::EphemeralSecKeychain()
     Q_ASSERT(uuidAsByteArray.size() > 2);
     Q_ASSERT(uuidAsByteArray.startsWith('{'));
     Q_ASSERT(uuidAsByteArray.endsWith('}'));
-    const auto uuidAsString = QLatin1String(uuidAsByteArray.data(), uuidAsByteArray.size()).mid(1, uuidAsByteArray.size() - 2);
+    const auto uuidAsString = QLatin1StringView(uuidAsByteArray.data(), uuidAsByteArray.size()).mid(1, uuidAsByteArray.size() - 2);
 
     const QString keychainName
-            = QDir::tempPath() + QDir::separator() + uuidAsString + QLatin1String(".keychain");
+            = QDir::tempPath() + QDir::separator() + uuidAsString + ".keychain"_L1;
     // SecKeychainCreate, pathName parameter:
     //
     // "A constant character string representing the POSIX path indicating where
@@ -136,14 +102,14 @@ EphemeralSecKeychain::EphemeralSecKeychain()
     const auto ok = CFStringGetFileSystemRepresentation(cfName, &posixPath[0],
                                                         CFIndex(posixPath.size()));
     if (!ok) {
-        qCWarning(lcTlsBackend) << "Failed to create a unique keychain name from"
-                                << "QDir::tempPath()";
+        qCWarning(lcSecureTransport) << "Failed to create a unique keychain name from"
+                                     << "QDir::tempPath()";
         return;
     }
 
     std::vector<uint8_t> passUtf8(256);
     if (SecRandomCopyBytes(kSecRandomDefault, passUtf8.size(), &passUtf8[0])) {
-        qCWarning(lcTlsBackend) << "SecRandomCopyBytes: failed to create a key";
+        qCWarning(lcSecureTransport) << "SecRandomCopyBytes: failed to create a key";
         return;
     }
 
@@ -151,7 +117,7 @@ EphemeralSecKeychain::EphemeralSecKeychain()
                                               &passUtf8[0], FALSE, nullptr,
                                               &keychain);
     if (status != errSecSuccess || !keychain) {
-        qCWarning(lcTlsBackend) << "SecKeychainCreate: failed to create a custom keychain";
+        qCWarning(lcSecureTransport) << "SecKeychainCreate: failed to create a custom keychain";
         if (keychain) {
             SecKeychainDelete(keychain);
             CFRelease(keychain);
@@ -166,13 +132,13 @@ EphemeralSecKeychain::EphemeralSecKeychain()
         // == false, set interval to INT_MAX to never lock ...
         settings.lockInterval = INT_MAX;
         if (SecKeychainSetSettings(keychain, &settings) != errSecSuccess)
-            qCWarning(lcTlsBackend) << "SecKeychainSettings: failed to disable lock on sleep";
+            qCWarning(lcSecureTransport) << "SecKeychainSettings: failed to disable lock on sleep";
     }
 
 #ifdef QSSLSOCKET_DEBUG
     if (keychain) {
-        qCDebug(lcTlsBackend) << "Custom keychain with name" << keychainName << "was created"
-                              << "successfully";
+        qCDebug(lcSecureTransport) << "Custom keychain with name" << keychainName << "was created"
+                                   << "successfully";
     }
 #endif
 }
@@ -204,7 +170,7 @@ SSLContextRef qt_createSecureTransportContext(QSslSocket::SslMode mode)
     // We never use kSSLDatagramType, so it's kSSLStreamType unconditionally.
     SSLContextRef context = SSLCreateContext(nullptr, side, kSSLStreamType);
     if (!context)
-        qCWarning(lcTlsBackend) << "SSLCreateContext failed";
+        qCWarning(lcSecureTransport) << "SSLCreateContext failed";
     return context;
 }
 
@@ -280,14 +246,14 @@ OSStatus TlsCryptographSecureTransport::ReadCallback(TlsCryptographSecureTranspo
 
     const qint64 bytes = plainSocket->read(data, *dataLength);
 #ifdef QSSLSOCKET_DEBUG
-    qCDebug(lcTlsBackend) << plainSocket << "read" << bytes;
+    qCDebug(lcSecureTransport) << plainSocket << "read" << bytes;
 #endif
     if (bytes < 0) {
         *dataLength = 0;
         return errSecIO;
     }
 
-    const OSStatus err = (size_t(bytes) < *dataLength) ? errSSLWouldBlock : errSecSuccess;
+    const OSStatus err = (size_t(bytes) < *dataLength) ? OSStatus(errSSLWouldBlock) : OSStatus(errSecSuccess);
     *dataLength = bytes;
 
     return err;
@@ -306,14 +272,14 @@ OSStatus TlsCryptographSecureTransport::WriteCallback(TlsCryptographSecureTransp
 
     const qint64 bytes = plainSocket->write(data, *dataLength);
 #ifdef QSSLSOCKET_DEBUG
-    qCDebug(lcTlsBackend) << plainSocket << "write" << bytes;
+    qCDebug(lcSecureTransport) << plainSocket << "write" << bytes;
 #endif
     if (bytes < 0) {
         *dataLength = 0;
         return errSecIO;
     }
 
-    const OSStatus err = (size_t(bytes) < *dataLength) ? errSSLWouldBlock : errSecSuccess;
+    const OSStatus err = (size_t(bytes) < *dataLength) ? OSStatus(errSSLWouldBlock) : OSStatus(errSecSuccess);
     *dataLength = bytes;
 
     return err;
@@ -346,45 +312,41 @@ void TlsCryptographSecureTransport::continueHandshake()
     Q_ASSERT(d);
     d->setEncrypted(true);
 #ifdef QSSLSOCKET_DEBUG
-    qCDebug(lcTlsBackend) << d->plainTcpSocket() << "connection encrypted";
+    qCDebug(lcSecureTransport) << d->plainTcpSocket() << "connection encrypted";
 #endif
 
-#if QT_DARWIN_PLATFORM_SDK_EQUAL_OR_ABOVE(__MAC_10_13_4, __IPHONE_11_0, __TVOS_11_0, __WATCHOS_4_0)
     // Unlike OpenSSL, Secure Transport does not allow to negotiate protocols via
     // a callback during handshake. We can only set our list of preferred protocols
     // (and send it during handshake) and then receive what our peer has sent to us.
     // And here we can finally try to find a match (if any).
     const auto &configuration = q->sslConfiguration();
-    if (__builtin_available(macOS 10.13, iOS 11.0, tvOS 11.0, watchOS 4.0, *)) {
-        const auto &requestedProtocols = configuration.allowedNextProtocols();
-        if (const int requestedCount = requestedProtocols.size()) {
-            QTlsBackend::setAlpnStatus(d, QSslConfiguration::NextProtocolNegotiationNone);
-            QTlsBackend::setNegotiatedProtocol(d, {});
-
-            QCFType<CFArrayRef> cfArray;
-            const OSStatus result = SSLCopyALPNProtocols(context, &cfArray);
-            if (result == errSecSuccess && cfArray && CFArrayGetCount(cfArray)) {
-                const int size = CFArrayGetCount(cfArray);
-                QList<QString> peerProtocols(size);
-                for (int i = 0; i < size; ++i)
-                    peerProtocols[i] = QString::fromCFString((CFStringRef)CFArrayGetValueAtIndex(cfArray, i));
-
-                for (int i = 0; i < requestedCount; ++i) {
-                    const auto requestedName = QString::fromLatin1(requestedProtocols[i]);
-                    for (int j = 0; j < size; ++j) {
-                        if (requestedName == peerProtocols[j]) {
-                            QTlsBackend::setNegotiatedProtocol(d, requestedName.toLatin1());
-                            QTlsBackend::setAlpnStatus(d, QSslConfiguration::NextProtocolNegotiationNegotiated);
-                            break;
-                        }
-                    }
-                    if (configuration.nextProtocolNegotiationStatus() == QSslConfiguration::NextProtocolNegotiationNegotiated)
+    const auto &requestedProtocols = configuration.allowedNextProtocols();
+    if (const int requestedCount = requestedProtocols.size()) {
+        QTlsBackend::setAlpnStatus(d, QSslConfiguration::NextProtocolNegotiationNone);
+        QTlsBackend::setNegotiatedProtocol(d, {});
+
+        QCFType<CFArrayRef> cfArray;
+        const OSStatus result = SSLCopyALPNProtocols(context, &cfArray);
+        if (result == errSecSuccess && cfArray && CFArrayGetCount(cfArray)) {
+            const int size = CFArrayGetCount(cfArray);
+            QList<QString> peerProtocols(size);
+            for (int i = 0; i < size; ++i)
+                peerProtocols[i] = QString::fromCFString((CFStringRef)CFArrayGetValueAtIndex(cfArray, i));
+
+            for (int i = 0; i < requestedCount; ++i) {
+                const auto requestedName = QString::fromLatin1(requestedProtocols[i]);
+                for (int j = 0; j < size; ++j) {
+                    if (requestedName == peerProtocols[j]) {
+                        QTlsBackend::setNegotiatedProtocol(d, requestedName.toLatin1());
+                        QTlsBackend::setAlpnStatus(d, QSslConfiguration::NextProtocolNegotiationNegotiated);
                         break;
+                    }
                 }
+                if (configuration.nextProtocolNegotiationStatus() == QSslConfiguration::NextProtocolNegotiationNegotiated)
+                    break;
             }
         }
     }
-#endif // QT_DARWIN_PLATFORM_SDK_EQUAL_OR_ABOVE
 
     if (!renegotiating)
         emit q->encrypted();
@@ -398,6 +360,7 @@ void TlsCryptographSecureTransport::continueHandshake()
 void TlsCryptographSecureTransport::disconnected()
 {
     Q_ASSERT(d && d->plainTcpSocket());
+    d->setEncrypted(false);
     if (d->plainTcpSocket()->bytesAvailable() <= 0)
         destroySslContext();
     // If there is still buffered data in the plain socket, don't destroy the ssl context yet.
@@ -410,6 +373,7 @@ void TlsCryptographSecureTransport::disconnectFromHost()
     if (context) {
         if (!shutdown) {
             SSLClose(context);
+            context.reset(nullptr);
             shutdown = true;
         }
     }
@@ -433,15 +397,18 @@ QSsl::SslProtocol TlsCryptographSecureTransport::sessionProtocol() const
     SSLProtocol protocol = kSSLProtocolUnknown;
     const OSStatus err = SSLGetNegotiatedProtocolVersion(context, &protocol);
     if (err != errSecSuccess) {
-        qCWarning(lcTlsBackend) << "SSLGetNegotiatedProtocolVersion failed:" << err;
+        qCWarning(lcSecureTransport) << "SSLGetNegotiatedProtocolVersion failed:" << err;
         return QSsl::UnknownProtocol;
     }
 
     switch (protocol) {
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case kTLSProtocol1:
         return QSsl::TlsV1_0;
     case kTLSProtocol11:
         return QSsl::TlsV1_1;
+QT_WARNING_POP
     case kTLSProtocol12:
         return QSsl::TlsV1_2;
     case kTLSProtocol13:
@@ -499,7 +466,7 @@ void TlsCryptographSecureTransport::transmit()
             size_t writtenBytes = 0;
             const OSStatus err = SSLWrite(context, writeBuffer.readPointer(), nextDataBlockSize, &writtenBytes);
 #ifdef QSSLSOCKET_DEBUG
-            qCDebug(lcTlsBackend) << d->plainTcpSocket() << "SSLWrite returned" << err;
+            qCDebug(lcSecureTransport) << d->plainTcpSocket() << "SSLWrite returned" << err;
 #endif
             if (err != errSecSuccess && err != errSSLWouldBlock) {
                 setErrorAndEmit(d, QAbstractSocket::SslInternalError,
@@ -537,7 +504,7 @@ void TlsCryptographSecureTransport::transmit()
             data.resize(4096);
             const OSStatus err = SSLRead(context, data.data(), data.size(), &readBytes);
 #ifdef QSSLSOCKET_DEBUG
-            qCDebug(lcTlsBackend) << d->plainTcpSocket() << "SSLRead returned" << err;
+            qCDebug(lcSecureTransport) << d->plainTcpSocket() << "SSLRead returned" << err;
 #endif
             if (err == errSSLClosedGraceful) {
                 shutdown = true; // the other side shut down, make sure we do not send shutdown ourselves
@@ -571,80 +538,109 @@ void TlsCryptographSecureTransport::transmit()
 
 SSLCipherSuite TlsCryptographSecureTransport::SSLCipherSuite_from_QSslCipher(const QSslCipher &ciph)
 {
-    if (ciph.name() == QLatin1String("AES128-SHA"))
+    if (ciph.name() == "AES128-SHA"_L1)
         return TLS_RSA_WITH_AES_128_CBC_SHA;
-    if (ciph.name() == QLatin1String("DHE-RSA-AES128-SHA"))
+    if (ciph.name() == "DHE-RSA-AES128-SHA"_L1)
         return TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
-    if (ciph.name() == QLatin1String("AES256-SHA"))
+    if (ciph.name() == "AES256-SHA"_L1)
         return TLS_RSA_WITH_AES_256_CBC_SHA;
-    if (ciph.name() == QLatin1String("DHE-RSA-AES256-SHA"))
+    if (ciph.name() == "DHE-RSA-AES256-SHA"_L1)
         return TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
-    if (ciph.name() == QLatin1String("ECDH-ECDSA-NULL-SHA"))
+    if (ciph.name() == "ECDH-ECDSA-NULL-SHA"_L1)
         return TLS_ECDH_ECDSA_WITH_NULL_SHA;
-    if (ciph.name() == QLatin1String("ECDH-ECDSA-RC4-SHA"))
+    if (ciph.name() == "ECDH-ECDSA-RC4-SHA"_L1)
         return TLS_ECDH_ECDSA_WITH_RC4_128_SHA;
-    if (ciph.name() == QLatin1String("ECDH-ECDSA-DES-CBC3-SHA"))
+    if (ciph.name() == "ECDH-ECDSA-DES-CBC3-SHA"_L1)
         return TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA;
-    if (ciph.name() == QLatin1String("ECDH-ECDSA-AES128-SHA"))
+    if (ciph.name() == "ECDH-ECDSA-AES128-SHA"_L1)
         return TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA;
-    if (ciph.name() == QLatin1String("ECDH-ECDSA-AES256-SHA"))
+    if (ciph.name() == "ECDH-ECDSA-AES256-SHA"_L1)
         return TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA;
-    if (ciph.name() == QLatin1String("ECDH-ECDSA-RC4-SHA"))
+    if (ciph.name() == "ECDH-ECDSA-RC4-SHA"_L1)
         return TLS_ECDHE_ECDSA_WITH_RC4_128_SHA;
-    if (ciph.name() == QLatin1String("ECDH-ECDSA-DES-CBC3-SHA"))
+    if (ciph.name() == "ECDH-ECDSA-DES-CBC3-SHA"_L1)
         return TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA;
-    if (ciph.name() == QLatin1String("ECDH-ECDSA-AES128-SHA"))
+    if (ciph.name() == "ECDH-ECDSA-AES128-SHA"_L1)
         return TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA;
-    if (ciph.name() == QLatin1String("ECDH-ECDSA-AES256-SHA"))
+    if (ciph.name() == "ECDH-ECDSA-AES256-SHA"_L1)
         return TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA;
-    if (ciph.name() == QLatin1String("ECDH-RSA-NULL-SHA"))
+    if (ciph.name() == "ECDH-RSA-NULL-SHA"_L1)
         return TLS_ECDH_RSA_WITH_NULL_SHA;
-    if (ciph.name() == QLatin1String("ECDH-RSA-RC4-SHA"))
+    if (ciph.name() == "ECDH-RSA-RC4-SHA"_L1)
         return TLS_ECDH_RSA_WITH_RC4_128_SHA;
-    if (ciph.name() == QLatin1String("ECDH-RSA-DES-CBC3-SHA"))
+    if (ciph.name() == "ECDH-RSA-DES-CBC3-SHA"_L1)
         return TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA;
-    if (ciph.name() == QLatin1String("ECDH-RSA-AES128-SHA"))
+    if (ciph.name() == "ECDH-RSA-AES128-SHA"_L1)
         return TLS_ECDH_RSA_WITH_AES_128_CBC_SHA;
-    if (ciph.name() == QLatin1String("ECDH-RSA-AES256-SHA"))
+    if (ciph.name() == "ECDH-RSA-AES256-SHA"_L1)
         return TLS_ECDH_RSA_WITH_AES_256_CBC_SHA;
-    if (ciph.name() == QLatin1String("ECDH-RSA-RC4-SHA"))
+    if (ciph.name() == "ECDH-RSA-RC4-SHA"_L1)
         return TLS_ECDHE_RSA_WITH_RC4_128_SHA;
-    if (ciph.name() == QLatin1String("ECDH-RSA-DES-CBC3-SHA"))
+    if (ciph.name() == "ECDH-RSA-DES-CBC3-SHA"_L1)
         return TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA;
-    if (ciph.name() == QLatin1String("ECDH-RSA-AES128-SHA"))
+    if (ciph.name() == "ECDH-RSA-AES128-SHA"_L1)
         return TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;
-    if (ciph.name() == QLatin1String("ECDH-RSA-AES256-SHA"))
+    if (ciph.name() == "ECDH-RSA-AES256-SHA"_L1)
         return TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA;
-    if (ciph.name() == QLatin1String("DES-CBC3-SHA"))
+    if (ciph.name() == "DES-CBC3-SHA"_L1)
         return TLS_RSA_WITH_3DES_EDE_CBC_SHA;
-    if (ciph.name() == QLatin1String("AES128-SHA256"))
+    if (ciph.name() == "AES128-SHA256"_L1)
         return TLS_RSA_WITH_AES_128_CBC_SHA256;
-    if (ciph.name() == QLatin1String("AES256-SHA256"))
+    if (ciph.name() == "AES256-SHA256"_L1)
         return TLS_RSA_WITH_AES_256_CBC_SHA256;
-    if (ciph.name() == QLatin1String("DHE-RSA-DES-CBC3-SHA"))
+    if (ciph.name() == "DHE-RSA-DES-CBC3-SHA"_L1)
         return TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA;
-    if (ciph.name() == QLatin1String("DHE-RSA-AES128-SHA256"))
+    if (ciph.name() == "DHE-RSA-AES128-SHA256"_L1)
         return TLS_DHE_RSA_WITH_AES_128_CBC_SHA256;
-    if (ciph.name() == QLatin1String("DHE-RSA-AES256-SHA256"))
+    if (ciph.name() == "DHE-RSA-AES256-SHA256"_L1)
         return TLS_DHE_RSA_WITH_AES_256_CBC_SHA256;
-    if (ciph.name() == QLatin1String("AES256-GCM-SHA384"))
+    if (ciph.name() == "AES256-GCM-SHA384"_L1)
         return TLS_RSA_WITH_AES_256_GCM_SHA384;
-    if (ciph.name() == QLatin1String("ECDHE-ECDSA-AES128-SHA256"))
+    if (ciph.name() == "ECDHE-ECDSA-AES128-SHA256"_L1)
         return TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256;
-    if (ciph.name() == QLatin1String("ECDHE-ECDSA-AES256-SHA384"))
+    if (ciph.name() == "ECDHE-ECDSA-AES256-SHA384"_L1)
         return TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384;
-    if (ciph.name() == QLatin1String("ECDH-ECDSA-AES128-SHA256"))
+    if (ciph.name() == "ECDH-ECDSA-AES128-SHA256"_L1)
         return TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256;
-    if (ciph.name() == QLatin1String("ECDH-ECDSA-AES256-SHA384"))
+    if (ciph.name() == "ECDH-ECDSA-AES256-SHA384"_L1)
         return TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384;
-    if (ciph.name() == QLatin1String("ECDHE-RSA-AES128-SHA256"))
+    if (ciph.name() == "ECDHE-RSA-AES128-SHA256"_L1)
         return TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256;
-    if (ciph.name() == QLatin1String("ECDHE-RSA-AES256-SHA384"))
+    if (ciph.name() == "ECDHE-RSA-AES256-SHA384"_L1)
         return TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384;
-    if (ciph.name() == QLatin1String("ECDHE-RSA-AES256-SHA384"))
+    if (ciph.name() == "ECDHE-RSA-AES256-SHA384"_L1)
         return TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256;
-    if (ciph.name() == QLatin1String("ECDHE-RSA-AES256-GCM-SHA384"))
+    if (ciph.name() == "ECDHE-RSA-AES256-GCM-SHA384"_L1)
         return TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;
+    if (ciph.name() == "AES128-GCM-SHA256"_L1)
+        return TLS_AES_128_GCM_SHA256;
+    if (ciph.name() == "AES256-GCM-SHA384"_L1)
+        return TLS_AES_256_GCM_SHA384;
+    if (ciph.name() == "CHACHA20-POLY1305-SHA256"_L1)
+        return TLS_CHACHA20_POLY1305_SHA256;
+    if (ciph.name() == "AES128-CCM-SHA256"_L1)
+        return TLS_AES_128_CCM_SHA256;
+    if (ciph.name() == "AES128-CCM8-SHA256"_L1)
+        return TLS_AES_128_CCM_8_SHA256;
+    if (ciph.name() == "ECDHE-ECDSA-AES128-GCM-SHA256"_L1)
+        return TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
+    if (ciph.name() == "ECDHE-ECDSA-AES256-GCM-SHA384"_L1)
+        return TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
+    if (ciph.name() == "ECDH-ECDSA-AES128-GCM-SHA256"_L1)
+        return TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256;
+    if (ciph.name() == "ECDH-ECDSA-AES256-GCM-SHA384"_L1)
+        return TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384;
+    if (ciph.name() == "ECDHE-RSA-AES128-GCM-SHA256"_L1)
+        return TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
+    if (ciph.name() == "ECDH-RSA-AES128-GCM-SHA256"_L1)
+        return TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256;
+    if (ciph.name() == "ECDH-RSA-AES256-GCM-SHA384"_L1)
+        return TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384;
+    if (ciph.name() == "ECDHE-RSA-CHACHA20-POLY1305-SHA256"_L1)
+        return TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
+    if (ciph.name() == "ECDHE-ECDSA-CHACHA20-POLY1305-SHA256"_L1)
+        return TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256;
+
     return 0;
 }
 
@@ -695,35 +691,31 @@ bool TlsCryptographSecureTransport::initSslContext()
         return false;
     }
 
-#if QT_DARWIN_PLATFORM_SDK_EQUAL_OR_ABOVE(__MAC_10_13_4, __IPHONE_11_0, __TVOS_11_0, __WATCHOS_4_0)
-    if (__builtin_available(macOS 10.13, iOS 11.0, tvOS 11.0, watchOS 4.0, *)) {
-        const auto protocolNames = configuration.allowedNextProtocols();
-        QCFType<CFMutableArrayRef> cfNames(CFArrayCreateMutable(nullptr, 0, &kCFTypeArrayCallBacks));
-        if (cfNames) {
-            for (const QByteArray &name : protocolNames) {
-                if (name.size() > 255) {
-                    qCWarning(lcTlsBackend) << "TLS ALPN extension" << name
-                                            << "is too long and will be ignored.";
-                    continue;
-                } else if (name.isEmpty()) {
-                    continue;
-                }
-                QCFString cfName(QString::fromLatin1(name).toCFString());
-                CFArrayAppendValue(cfNames, cfName);
+    const auto protocolNames = configuration.allowedNextProtocols();
+    QCFType<CFMutableArrayRef> cfNames(CFArrayCreateMutable(nullptr, 0, &kCFTypeArrayCallBacks));
+    if (cfNames) {
+        for (const QByteArray &name : protocolNames) {
+            if (name.size() > 255) {
+                qCWarning(lcSecureTransport) << "TLS ALPN extension" << name
+                                             << "is too long and will be ignored.";
+                continue;
+            } else if (name.isEmpty()) {
+                continue;
             }
+            QCFString cfName(QString::fromLatin1(name).toCFString());
+            CFArrayAppendValue(cfNames, cfName);
+        }
 
-            if (CFArrayGetCount(cfNames)) {
-                // Up to the application layer to check that negotiation
-                // failed, and handle this non-TLS error, we do not handle
-                // the result of this call as an error:
-                if (SSLSetALPNProtocols(context, cfNames) != errSecSuccess)
-                    qCWarning(lcTlsBackend) << "SSLSetALPNProtocols failed - too long protocol names?";
-            }
-        } else {
-            qCWarning(lcTlsBackend) << "failed to allocate ALPN names array";
+        if (CFArrayGetCount(cfNames)) {
+            // Up to the application layer to check that negotiation
+            // failed, and handle this non-TLS error, we do not handle
+            // the result of this call as an error:
+            if (SSLSetALPNProtocols(context, cfNames) != errSecSuccess)
+                qCWarning(lcSecureTransport) << "SSLSetALPNProtocols failed - too long protocol names?";
         }
+    } else {
+        qCWarning(lcSecureTransport) << "failed to allocate ALPN names array";
     }
-#endif // QT_DARWIN_PLATFORM_SDK_EQUAL_OR_ABOVE
 
     if (mode == QSslSocket::SslClientMode) {
         // enable Server Name Indication (SNI)
@@ -775,12 +767,12 @@ bool TlsCryptographSecureTransport::initSslContext()
                 cfCiphers << sslCipher;
         }
         if (cfCiphers.size() == 0) {
-            qCWarning(lcTlsBackend) << "failed to add any of the requested ciphers from the configuration";
+            qCWarning(lcSecureTransport) << "failed to add any of the requested ciphers from the configuration";
             return false;
         }
         OSStatus err = SSLSetEnabledCiphers(context, cfCiphers.data(), cfCiphers.size());
         if (err != errSecSuccess) {
-            qCWarning(lcTlsBackend) << "failed to set the ciphers from the configuration";
+            qCWarning(lcSecureTransport) << "failed to set the ciphers from the configuration";
             return false;
         }
     }
@@ -842,8 +834,8 @@ bool TlsCryptographSecureTransport::setSessionCertificate(QString &errorDescript
         OSStatus err = SecPKCS12Import(pkcs12, options, &items);
         if (err != errSecSuccess) {
 #ifdef QSSLSOCKET_DEBUG
-            qCWarning(lcTlsBackend) << plainSocket
-                                    << QStringLiteral("SecPKCS12Import failed: %1").arg(err);
+            qCWarning(lcSecureTransport) << plainSocket
+                                         << QStringLiteral("SecPKCS12Import failed: %1").arg(err);
 #endif
             errorCode = QAbstractSocket::SslInvalidUserDataError;
             errorDescription = QStringLiteral("SecPKCS12Import failed: %1").arg(err);
@@ -852,7 +844,7 @@ bool TlsCryptographSecureTransport::setSessionCertificate(QString &errorDescript
 
         if (!CFArrayGetCount(items)) {
 #ifdef QSSLSOCKET_DEBUG
-            qCWarning(lcTlsBackend) << plainSocket << "SecPKCS12Import returned no items";
+            qCWarning(lcSecureTransport) << plainSocket << "SecPKCS12Import returned no items";
 #endif
             errorCode = QAbstractSocket::SslInvalidUserDataError;
             errorDescription = QStringLiteral("SecPKCS12Import returned no items");
@@ -863,7 +855,7 @@ bool TlsCryptographSecureTransport::setSessionCertificate(QString &errorDescript
         SecIdentityRef identity = (SecIdentityRef)CFDictionaryGetValue(import, kSecImportItemIdentity);
         if (!identity) {
 #ifdef QSSLSOCKET_DEBUG
-            qCWarning(lcTlsBackend) << plainSocket << "SecPKCS12Import returned no identity";
+            qCWarning(lcSecureTransport) << plainSocket << "SecPKCS12Import returned no identity";
 #endif
             errorCode = QAbstractSocket::SslInvalidUserDataError;
             errorDescription = QStringLiteral("SecPKCS12Import returned no identity");
@@ -888,8 +880,8 @@ bool TlsCryptographSecureTransport::setSessionCertificate(QString &errorDescript
         err = SSLSetCertificate(context, certs);
         if (err != errSecSuccess) {
 #ifdef QSSLSOCKET_DEBUG
-            qCWarning(lcTlsBackend)
-                    << plainSocket << QStringLiteral("Cannot set certificate and key: %1").arg(err);
+            qCWarning(lcSecureTransport) << plainSocket
+                                         << QStringLiteral("Cannot set certificate and key: %1").arg(err);
 #endif
             errorCode = QAbstractSocket::SslInvalidUserDataError;
             errorDescription = QStringLiteral("Cannot set certificate and key: %1").arg(err);
@@ -914,62 +906,68 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
     switch (configuration.protocol()) {
     case QSsl::TlsV1_3:
     case QSsl::TlsV1_3OrLater:
-        qCWarning(lcTlsBackend) << plainSocket << "SecureTransport does not support TLS 1.3";
+        qCWarning(lcSecureTransport) << plainSocket << "SecureTransport does not support TLS 1.3";
         return false;
     default:;
     }
 
     OSStatus err = errSecSuccess;
 
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     if (configuration.protocol() == QSsl::TlsV1_0) {
     #ifdef QSSLSOCKET_DEBUG
-        qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.0";
+        qCDebug(lcSecureTransport) << plainSocket << "requesting : TLSv1.0";
     #endif
         err = SSLSetProtocolVersionMin(context, kTLSProtocol1);
         if (err == errSecSuccess)
             err = SSLSetProtocolVersionMax(context, kTLSProtocol1);
     } else if (configuration.protocol() == QSsl::TlsV1_1) {
     #ifdef QSSLSOCKET_DEBUG
-        qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.1";
+        qCDebug(lcSecureTransport) << plainSocket << "requesting : TLSv1.1";
     #endif
         err = SSLSetProtocolVersionMin(context, kTLSProtocol11);
         if (err == errSecSuccess)
             err = SSLSetProtocolVersionMax(context, kTLSProtocol11);
+QT_WARNING_POP
     } else if (configuration.protocol() == QSsl::TlsV1_2) {
     #ifdef QSSLSOCKET_DEBUG
-        qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2";
+        qCDebug(lcSecureTransport) << plainSocket << "requesting : TLSv1.2";
     #endif
         err = SSLSetProtocolVersionMin(context, kTLSProtocol12);
         if (err == errSecSuccess)
             err = SSLSetProtocolVersionMax(context, kTLSProtocol12);
     } else if (configuration.protocol() == QSsl::AnyProtocol) {
     #ifdef QSSLSOCKET_DEBUG
-        qCDebug(lcTlsBackend) << plainSocket << "requesting : any";
+        qCDebug(lcSecureTransport) << plainSocket << "requesting : any";
     #endif
         err = SSLSetProtocolVersionMin(context, kTLSProtocol1);
     } else if (configuration.protocol() == QSsl::SecureProtocols) {
     #ifdef QSSLSOCKET_DEBUG
-        qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1 - TLSv1.2";
+        qCDebug(lcSecureTransport) << plainSocket << "requesting : TLSv1.2";
     #endif
-        err = SSLSetProtocolVersionMin(context, kTLSProtocol1);
+        err = SSLSetProtocolVersionMin(context, kTLSProtocol12);
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     } else if (configuration.protocol() == QSsl::TlsV1_0OrLater) {
     #ifdef QSSLSOCKET_DEBUG
-        qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1 - TLSv1.2";
+        qCDebug(lcSecureTransport) << plainSocket << "requesting : TLSv1 - TLSv1.2";
     #endif
         err = SSLSetProtocolVersionMin(context, kTLSProtocol1);
     } else if (configuration.protocol() == QSsl::TlsV1_1OrLater) {
     #ifdef QSSLSOCKET_DEBUG
-        qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.1 - TLSv1.2";
+        qCDebug(lcSecureTransport) << plainSocket << "requesting : TLSv1.1 - TLSv1.2";
     #endif
         err = SSLSetProtocolVersionMin(context, kTLSProtocol11);
+QT_WARNING_POP
     } else if (configuration.protocol() == QSsl::TlsV1_2OrLater) {
     #ifdef QSSLSOCKET_DEBUG
-        qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2";
+        qCDebug(lcSecureTransport) << plainSocket << "requesting : TLSv1.2";
     #endif
         err = SSLSetProtocolVersionMin(context, kTLSProtocol12);
     } else {
     #ifdef QSSLSOCKET_DEBUG
-        qCDebug(lcTlsBackend) << plainSocket << "no protocol version found in the configuration";
+        qCDebug(lcSecureTransport) << plainSocket << "no protocol version found in the configuration";
     #endif
         return false;
     }
@@ -998,11 +996,14 @@ bool TlsCryptographSecureTransport::verifySessionProtocol() const
     if (configuration.protocol() == QSsl::AnyProtocol)
         protocolOk = true;
     else if (configuration.protocol() == QSsl::SecureProtocols)
-        protocolOk = (sessionProtocol() >= QSsl::TlsV1_0);
+        protocolOk = (sessionProtocol() >= QSsl::TlsV1_2);
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     else if (configuration.protocol() == QSsl::TlsV1_0OrLater)
         protocolOk = (sessionProtocol() >= QSsl::TlsV1_0);
     else if (configuration.protocol() == QSsl::TlsV1_1OrLater)
         protocolOk = (sessionProtocol() >= QSsl::TlsV1_1);
+QT_WARNING_POP
     else if (configuration.protocol() == QSsl::TlsV1_2OrLater)
         protocolOk = (sessionProtocol() >= QSsl::TlsV1_2);
     else if (configuration.protocol() == QSsl::TlsV1_3OrLater)
@@ -1075,7 +1076,7 @@ bool TlsCryptographSecureTransport::verifyPeerTrust()
         QTlsBackend::storePeerCertificate(d, peerCertificateChain.at(0));
 
     // Check the whole chain for blacklisting (including root, as we check for subjectInfo and issuer):
-    for (const QSslCertificate &cert : qAsConst(peerCertificateChain)) {
+    for (const QSslCertificate &cert : std::as_const(peerCertificateChain)) {
         if (QSslCertificatePrivate::isBlacklisted(cert) && !canIgnoreVerify) {
             const QSslError error(QSslError::CertificateBlacklisted, cert);
             errors << error;
@@ -1126,8 +1127,6 @@ bool TlsCryptographSecureTransport::verifyPeerTrust()
         QCFType<CFDataRef> certData = cert.toDer().toCFData();
         if (QCFType<SecCertificateRef> secRef = SecCertificateCreateWithData(nullptr, certData))
             CFArrayAppendValue(certArray, secRef);
-        else
-            qCWarning(lcTlsBackend, "Failed to create SecCertificate from QSslCertificate");
     }
 
     SecTrustSetAnchorCertificates(trust, certArray);
@@ -1236,7 +1235,7 @@ bool TlsCryptographSecureTransport::startHandshake()
 
     OSStatus err = SSLHandshake(context);
 #ifdef QSSLSOCKET_DEBUG
-    qCDebug(lcTlsBackend) << plainSocket << "SSLHandhake returned" << err;
+    qCDebug(lcSecureTransport) << plainSocket << "SSLHandhake returned" << err;
 #endif
 
     if (err == errSSLWouldBlock) {
@@ -1282,7 +1281,7 @@ bool TlsCryptographSecureTransport::startHandshake()
 
     // Connection aborted during handshake phase.
     if (q->state() != QAbstractSocket::ConnectedState) {
-        qCDebug(lcTlsBackend) << "connection aborted";
+        qCDebug(lcSecureTransport) << "connection aborted";
         renegotiating = false;
         return false;
     }