summaryrefslogtreecommitdiffstats
path: root/src/network/ssl/qsslcontext.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Fix compilation if EC is disabled in OpenSSLJoni Poikelin2014-07-291-0/+2
| | | | | | | | | Some Linux distributions disable EC by default which causes compile errors on those platforms. Task-number: QTBUG-40394 Change-Id: If5816d473bd1d64b1d4977860db662704a83310f Reviewed-by: Richard J. Moore <rich@kde.org>
* Ignore expired certificate during certificate validationDaniel Molkentin2014-05-111-11/+12
| | | | | | | | | | | | | | | | | | | | | | | OpenSSL has a bug when validating a chain with two certificates. If a certificate exists twice (which is a valid use case for renewed CAs), and the first one it hits is expired (which depends on the order on data structure internal to OpenSSL), it will fail to validate the chain. This is only a bandaid fix, which trades improved chain validation for error reporting accuracy. However given that reissuing of CA certs is a real problem that is only getting worse, this fix is needed. See also: https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#WARNINGS [ChangeLog][QtNetwork][QSslSocket] Added a workaround to an OpenSSL problem that may cause errors when the trust store contains two certificates of the issuing CA, one of which is expired. Task-number: QTBUG-38896 Change-Id: I8f17972ac94555648098624e470fff0eff2e7940 Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Frederik Gladhorn <frederik.gladhorn@digia.com>
* Support for DH and ECDH key exchange for QSslSocket serversRichard J. Moore2014-04-091-0/+59
| | | | | | | | | | | | | | | | | Despite supporting DH and ECDH key exchange as a client, Qt did not provide any default parameters which prevented them being used as a server. A future change should allow the user to control the parameters used, but these defaults should be okay for most users. [ChangeLog][Important Behavior Changes] Support for DH and ECDH key exchange cipher suites when acting as an SSL server has been made possible. This change means the you can now implement servers that offer forward-secrecy using Qt. Task-number: QTBUG-20666 Change-Id: I469163900e4313da9d2d0c3e1e5e47ef46320b17 Reviewed-by: Daniel Molkentin <daniel@molkentin.de> Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
* Fix some typosSergio Ahumada2014-03-031-1/+1
| | | | | | Change-Id: I7dbe938bff5ac3ab50a0197f94bdb2f6c22fbd16 Reviewed-by: Kevin Krammer <kevin.krammer@kdab.com> Reviewed-by: Mitch Curtis <mitch.curtis@digia.com>
* SSL: add support for the Next Protocol Negotiation extensionPeter Hartmann2014-02-111-0/+60
| | | | | | | | | | | | ... which is needed to negotiate the SPDY protocol. [ChangeLog][QtNetwork][QSslConfiguration] Added support for the Next Protocol Negotiation (NPN) TLS extension. Task-number: QTBUG-33208 Change-Id: I3c945f9b7e2d2ffb0814bfdd3e87de1dae6c20ef Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* Prevent spurious SSL errors from local certificates.Richard J. Moore2014-01-161-3/+0
| | | | | | | | | | | | | | | | Qt since approximately 4.4 has set the verify callback on both the SSL store and the SSL context. Only the latter is actually needed. This is normally not a problem, but openssl prior to 1.0.2 uses the verify code to find the intermediate certificates for any local certificate that has been set which can lead to verification errors for the local certificate to be emitted. Task-number: QTBUG-33228 Task-number: QTBUG-7200 Task-number: QTBUG-24234 Change-Id: Ie4115e7f7faa1267ea9b807c01b1ed6604c4a16c Reviewed-by: Peter Hartmann <phartmann@blackberry.com> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
* QSslConfiguration: rename [get]session() to [get]sessionTicket()Peter Hartmann2013-11-081-2/+2
| | | | | | | | to reflect the fact that this returns and sets the whole session ticket, and not just the session ID. Change-Id: I00fe2bc4197dbcd7a02b3ae4f2f84e3a2a7edad0 Reviewed-by: Richard J. Moore <rich@kde.org>
* QSslConfiguration: add API to persist and resume SSL sessionsPeter Hartmann2013-05-101-2/+39
| | | | | | | | | | | | | Session tickets can be cached on the client side for hours (e.g. graph.facebook.com: ~ 24 hours, api.twitter.com: 4 hours), because the server does not need to maintain state. We need public API for it so an application can cache the session (e.g. to disk) and resume a session already with the 1st handshake, saving one network round trip. Task-number: QTBUG-20668 Change-Id: I10255932dcd528ee1231538cb72b52b97f9f4a3c Reviewed-by: Richard J. Moore <rich@kde.org>
* Add support for intermediate certificates to server sockets.Richard Moore2013-02-191-0/+11
| | | | | | | | | | Add intermediate certificates to our server sockets, and to our client certs. Change-Id: Ib5aa575473f9e84f337bebe35099506dd7d7e2ba Task-Number: QTBUG-19825 Task-Number: QTBUG-13281 Reviewed-by: Peter Hartmann <phartmann@rim.com>
* Remove ifdefs for supporting Mac OS <= 10.5Tor Arne Vestbø2013-02-181-10/+2
| | | | | | | | Qt5 requires Mac OS 10.6, so we can remove checks such as if MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_6 Change-Id: Iea21727a277291148704ecf9677ed0b68c24920f Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
* SSL: Implement session sharing and use it from QNetworkAccessManagerPeter Hartmann2013-02-061-0/+306
This improves performance since a network round trip can be avoided. Change-Id: I1aaff7e48ef9638cb137de0f43942c3a4dd2884a Initial-patch-by: Markus Goetz <markus@woboq.com> Reviewed-by: Richard J. Moore <rich@kde.org>
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-04 20:12:20 +0000