summaryrefslogtreecommitdiffstats
path: root/src/network/ssl
Commit message (Collapse)AuthorAgeFilesLines
* Merge remote-tracking branch 'origin/5.3' into devFrederik Gladhorn2014-07-293-0/+8
|\ | | | | | | | | | | | | Conflicts: src/network/ssl/qsslsocket_openssl_symbols.cpp Change-Id: Ic62419fa1fee5f4de6c372459d72e6e16f9a810b
| * Fix compilation if EC is disabled in OpenSSLJoni Poikelin2014-07-293-0/+8
| | | | | | | | | | | | | | | | | | Some Linux distributions disable EC by default which causes compile errors on those platforms. Task-number: QTBUG-40394 Change-Id: If5816d473bd1d64b1d4977860db662704a83310f Reviewed-by: Richard J. Moore <rich@kde.org>
* | Merge remote-tracking branch 'origin/5.3' into devFrederik Gladhorn2014-07-141-110/+16
|\| | | | | | | | | | | | | Conflicts: src/gui/text/qfontengine_qpf2.cpp Change-Id: Ib04f92c41d0edd55d3aef8fb1708d917fba0f2a8
| * Android: Update QSslSocketPrivate::fetchSslCertificateData()Christian Strømme2014-07-141-110/+16
| | | | | | | | | | | | | | | | | | | | | | | | Replaces the raw jni calls with our own jni wrappers. This allows us to make use of the centralized cache, avoid global data storage and use a more optimized way to attach to the jni environment. This change also removes the JNI_OnLoad() function since it's not used. If we need to add a JNI_OnLoad() function later, we should find a more suited place for it. Change-Id: Id84ead10c27d03d19c160304b1f9853b381a103c Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com>
* | Merge remote-tracking branch 'origin/5.3' into devFrederik Gladhorn2014-07-101-0/+3
|\| | | | | | | Change-Id: Ia12ffdb27ecdf25c2a2bdb0eed1945387502108a
| * QSslCertificate: blacklist NIC certificates from IndiaPeter Hartmann2014-07-091-0/+3
| | | | | | | | | | | | | | | | | | | | | | Those intermediate certificates were used to issue "unauthorized" certificates according to http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-security.html , and are by default trusted on Windows, so to be safe we blacklist them here. Change-Id: I9891c5bee2dd82c22eb0f45e9b04abd25efeb596 Reviewed-by: Richard J. Moore <rich@kde.org>
* | Merge remote-tracking branch 'origin/5.3' into devFrederik Gladhorn2014-07-011-0/+4
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: mkspecs/qnx-x86-qcc/qplatformdefs.h src/corelib/global/qglobal.h src/network/socket/qnativesocketengine_winrt.cpp src/plugins/platforms/android/androidjniaccessibility.cpp src/plugins/platforms/windows/qwindowswindow.cpp Manually adjusted: mkspecs/qnx-armle-v7-qcc/qplatformdefs.h to include 9ce697f2d54be6d94381c72af28dda79cbc027d4 Thanks goes to Sergio for the qnx mkspecs adjustments. Change-Id: I53b1fd6bc5bc884e5ee2c2b84975f58171a1cb8e
| * Android: Fix namespace usageChristian Strømme2014-06-301-0/+4
| | | | | | | | | | | | | | This change makes it possible to set a Qt namespace for Android builds. Change-Id: I79f4ae8200223f36f97e2849aae49e45b8850d23 Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com>
* | Merge remote-tracking branch 'origin/stable' into devJ-P Nurmi2014-06-051-1/+4
|\| | | | | | | | | | | | | | | | | | | Conflicts: mkspecs/features/qt.prf src/plugins/platforms/xcb/qxcbwindow.h src/tools/qdoc/qdocindexfiles.cpp src/widgets/kernel/qwidget_qpa.cpp Change-Id: I214f57b03bc2ff86cf3b7dfe2966168af93a5a67
| * Doc: be more explicit about need to set expected SSL cert in errorsArnaud Bienner2014-05-271-1/+2
| | | | | | | | | | | | | | | | Note added in QNetworkReply and QSslSocket documentation. Task-number: QTBUG-16770 Change-Id: I2dd8cfb913ec29a96b5465a905cd213713b8d537 Reviewed-by: Richard J. Moore <rich@kde.org>
| * Ensure all encrypted bytes are sent when closing QSslSocket.Richard J. Moore2014-05-261-0/+2
| | | | | | | | | | | | | | | | | | | | If you do sock->write(data) followed by sock->close() then the data written is not transmitted unless you flush when using QSslSocket but is when using QTcpSocket. This change makes QSslSocket work like QTcpSocket. Change-Id: Ia2e1c021dc48ac0d573f78da782ea77641c03bc1 Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
* | Merge remote-tracking branch 'origin/stable' into devSimon Hausmann2014-05-223-3/+4
|\| | | | | | | Change-Id: Ia36e93771066d8abcf8123dbe2362c5c9d9260fc
| * Avoid accessing the internals of the SSL_CIPHER struct.Richard J. Moore2014-05-193-3/+4
| | | | | | | | | | | | | | | | | | | | | | Avoid accessing the internals of the SSL_CIPHER struct since this has changed size etc. over time leading to binary incompatibilities. Task-number: QTBUG-32423 Task-number: QTBUG-23363 Change-Id: I8cb399484e3a62be7d511f4b8b22c876825c87d4 Reviewed-by: Peter Hartmann <phartmann@blackberry.com> Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
* | Merge "Merge remote-tracking branch 'origin/stable' into dev" into ↵Friedemann Kleint2014-05-142-23/+24
|\ \ | | | | | | | | | refs/staging/dev
| * | Merge remote-tracking branch 'origin/stable' into devFrederik Gladhorn2014-05-132-23/+24
| |\| | | | | | | | | | | | | | | | | | | Conflicts: src/gui/kernel/qguiapplication.cpp Change-Id: Ibe75603dc8a51769db6550ea3f07bc8d19b0be85
| | * Merge remote-tracking branch 'origin/release' into stableFrederik Gladhorn2014-05-122-23/+24
| | |\ | | | | | | | | | | | | Change-Id: I9300572e2b74f0564b2589cbd0fbdf24850f68df
| | | * Ignore expired certificate during certificate validationDaniel Molkentin2014-05-112-23/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL has a bug when validating a chain with two certificates. If a certificate exists twice (which is a valid use case for renewed CAs), and the first one it hits is expired (which depends on the order on data structure internal to OpenSSL), it will fail to validate the chain. This is only a bandaid fix, which trades improved chain validation for error reporting accuracy. However given that reissuing of CA certs is a real problem that is only getting worse, this fix is needed. See also: https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#WARNINGS [ChangeLog][QtNetwork][QSslSocket] Added a workaround to an OpenSSL problem that may cause errors when the trust store contains two certificates of the issuing CA, one of which is expired. Task-number: QTBUG-38896 Change-Id: I8f17972ac94555648098624e470fff0eff2e7940 Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Frederik Gladhorn <frederik.gladhorn@digia.com>
* | | | Move the PKCS#12 support from QSslSocket to QSslCertificate.Richard J. Moore2014-05-144-25/+25
|/ / / | | | | | | | | | | | | | | | | | | | | | Discussed with Peter and agreed that it's a slightly better fit there. Change-Id: If8db777336e2273670a23d75d8542b30c07e0d7b Reviewed-by: Daniel Molkentin <daniel@molkentin.de> Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
* | | Add support for loading PKCS#12 bundles.Richard J. Moore2014-05-119-0/+152
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support for loading certificates and keys from PKCS#12 bundles (also known as pfx files). Task-number: QTBUG-1565 [ChangeLog][QtNetwork][QSslSocket] Support for loading PKCS#12 bundles was added. These are often used to transport keys and certificates conveniently, particularly when making use of client certificates. Change-Id: Idaeb2cb4dac4b19881a5c99c7c0a7eea00c2b207 Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
* | | QSslCertificate::isSelfSigned(): add since tag in documentationPeter Hartmann2014-05-111-0/+1
| | | | | | | | | | | | | | | Change-Id: I6a4e96fb1a94a1a55eabe6b3e0df09b5d27fd8a2 Reviewed-by: Richard J. Moore <rich@kde.org>
* | | Merge remote-tracking branch 'origin/stable' into devFrederik Gladhorn2014-05-061-0/+2
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: mkspecs/qnx-x86-qcc/qplatformdefs.h src/corelib/global/qglobal.h src/opengl/gl2paintengineex/qpaintengineex_opengl2.cpp src/opengl/qgl.cpp src/opengl/qglpixelbuffer.cpp src/opengl/qglshaderprogram.cpp tests/auto/opengl/qglthreads/tst_qglthreads.cpp Change-Id: Iaba137884d3526a139000ca26fee02bb27b5cdb5
| * | Fix build against older OpenSSL.Sérgio Martins2014-04-141-0/+2
| |/ | | | | | | | | | | | | The declaration of q_SSL_ctrl is ifdefed, so ifdef it's usage too. Change-Id: I99a53af6f4f24ed991d39ab89f18e03b8f38c617 Reviewed-by: Richard J. Moore <rich@kde.org>
* | Provide new API: QSslCertificate::isSelfSigned()Daniel Molkentin2014-04-304-0/+19
| | | | | | | | | | Change-Id: I382a017a0b865b849667301aff8b2f87b676ecc6 Reviewed-by: Richard J. Moore <rich@kde.org>
* | Merge remote-tracking branch 'origin/stable' into devFrederik Gladhorn2014-04-114-0/+83
|\| | | | | | | | | | | | | | | | | | | Conflicts: mkspecs/qnx-armv7le-qcc/qplatformdefs.h src/printsupport/kernel/qcups.cpp src/widgets/styles/qstyle.h tests/auto/widgets/itemviews/qlistwidget/tst_qlistwidget.cpp Change-Id: Ia41e13051169a6d4a8a1267548e7d47b859bb267
| * Support for DH and ECDH key exchange for QSslSocket serversRichard J. Moore2014-04-093-0/+80
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Despite supporting DH and ECDH key exchange as a client, Qt did not provide any default parameters which prevented them being used as a server. A future change should allow the user to control the parameters used, but these defaults should be okay for most users. [ChangeLog][Important Behavior Changes] Support for DH and ECDH key exchange cipher suites when acting as an SSL server has been made possible. This change means the you can now implement servers that offer forward-secrecy using Qt. Task-number: QTBUG-20666 Change-Id: I469163900e4313da9d2d0c3e1e5e47ef46320b17 Reviewed-by: Daniel Molkentin <daniel@molkentin.de> Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
| * Ensure we initialize things before checking the openssl version.Richard J. Moore2014-04-081-0/+3
| | | | | | | | | | | | Task-number: QTBUG-37783 Change-Id: Ie276e597062d8bfc74ef57251ed21a94020e030f Reviewed-by: Friedemann Kleint <Friedemann.Kleint@digia.com>
* | Merge remote-tracking branch 'origin/stable' into devFrederik Gladhorn2014-03-241-4/+6
|\| | | | | | | | | | | | | Conflicts: src/gui/image/qjpeghandler.cpp Change-Id: I9db3acea7d5c82f5da679c8eaeb29431136665f0
| * Fix crash if SSL_get0_next_proto_negotiated() cannot be resolved.Friedemann Kleint2014-03-201-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | Crash occurs after warnings like: QSslSocket: cannot call unresolved function SSL_get0_next_proto_negotiated Task-number: QTBUG-37515 Task-number: QTBUG-33208 Change-Id: I18b803e4709b9d5f6b33717c2ac43179676351a4 Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
* | Merge remote-tracking branch 'origin/stable' into devSergio Ahumada2014-03-134-7/+7
|\| | | | | | | Change-Id: Idec54e19963e8d88c711cb179cffc81596323899
| * Replace Note: with \note in documentationKurt Pattyn2014-03-133-6/+6
| | | | | | | | | | | | Change-Id: I213ac1fb2733e675f3641441fe6c621bab06c1f0 Reviewed-by: Peter Hartmann <phartmann@blackberry.com> Reviewed-by: Richard J. Moore <rich@kde.org>
| * Fix some typosSergio Ahumada2014-03-031-1/+1
| | | | | | | | | | | | Change-Id: I7dbe938bff5ac3ab50a0197f94bdb2f6c22fbd16 Reviewed-by: Kevin Krammer <kevin.krammer@kdab.com> Reviewed-by: Mitch Curtis <mitch.curtis@digia.com>
* | Add accessors for the build-time version of openssl.Richard J. Moore2014-03-104-0/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | Many bugs originate due to mismatches between the build-time and run-time versions of openssl but they're hard to debug as we don't provide access to the build-time info. This addresses that weakness. [ChangeLog][QtNetwork][QSslSocket] Added accessors for the version of openssl used at build-time. This will help when debugging problems caused by a mismatch with the run-time version. Change-Id: I6a4c21c8f16ab4c90cdf166f38c62fe37bf1f165 Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
* | Add support for finding the version of SSL/TLS in use.Richard J. Moore2014-03-1010-1/+61
|/ | | | | | | | | | | | Previously we allowed you to specify which version(s) you wanted to use, but did not provide access to the version that was actually negotiated. [ChangeLog][QtNetwork][QSslSocket] Add support for finding the version of SSL/TLS in use by a connection. Task-number: QTBUG-28471 Change-Id: I6d50d2bc9f1ce7f98192e67992178fe7e41c0575 Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
* QSslCipher: make QString constructor explicitMarc Mutz2014-02-211-1/+1
| | | | | | | | A QSslCipher is not an equivalent representation of a QString, so the constructor that takes a QString should be explicit. Change-Id: I4c1329d1eebf91b212616eb5200450c0861d900f Reviewed-by: Lars Knoll <lars.knoll@digia.com>
* Merge remote-tracking branch 'origin/stable' into devFrederik Gladhorn2014-02-121-8/+11
|\ | | | | | | | | | | | | | | | | | | Conflicts: src/gui/image/qimage.cpp src/gui/text/qtextengine.cpp src/plugins/platforms/linuxfb/qlinuxfbscreen.cpp src/printsupport/kernel/qprintengine_win.cpp Change-Id: I09ce991a57f39bc7b1ad6978d0e0d858df0cd444
| * Correct the documentation of the return types of subjectInfo and issuerInfo.Richard J. Moore2014-02-121-8/+11
| | | | | | | | | | | | | | | | | | | | These functions now return a QStringList to reflect the possibility of there being more than one entry of a given type, but the documentation did not reflect this. Task-Number: QTBUG-36304 Change-Id: Iba2eda5e2c3174c8dcea640b5aed9cdc9a432392 Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
* | SSL: add support for the Next Protocol Negotiation extensionPeter Hartmann2014-02-119-3/+255
| | | | | | | | | | | | | | | | | | | | | | | | ... which is needed to negotiate the SPDY protocol. [ChangeLog][QtNetwork][QSslConfiguration] Added support for the Next Protocol Negotiation (NPN) TLS extension. Task-number: QTBUG-33208 Change-Id: I3c945f9b7e2d2ffb0814bfdd3e87de1dae6c20ef Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* | Fix the QSslSocket::setCiphers(const QString &) overload.Richard J. Moore2014-02-023-6/+24
| | | | | | | | | | | | | | | | | | | | | | The overload used an evil hack to work around a flaw in the QSslCipher API rather than fixing the API. The hack was broken by the addition of support for newer versions of TLS. This change solves the issue properly by fixing the QSslCipher API then using the fixed version. Task-Number: QTBUG-34688 Change-Id: Ibf677c374f837f705395741e730d40d8f912d7c6 Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
* | Merge "Merge remote-tracking branch 'origin/stable' into dev" into ↵Frederik Gladhorn2014-01-211-3/+0
|\ \ | | | | | | | | | refs/staging/dev
| * | Merge remote-tracking branch 'origin/stable' into devFrederik Gladhorn2014-01-201-3/+0
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: src/corelib/global/qglobal.h src/corelib/tools/qstring.cpp src/gui/image/image.pri src/gui/image/qimage.cpp src/plugins/platforms/cocoa/qcocoawindow.h src/plugins/platforms/cocoa/qcocoawindow.mm src/plugins/platforms/eglfs/qeglfshooks_stub.cpp tests/auto/corelib/io/qstandardpaths/tst_qstandardpaths.cpp Change-Id: I3b9ba029c8f2263b011f204fdf68c3231c6d4ce5
| | * Prevent spurious SSL errors from local certificates.Richard J. Moore2014-01-161-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Qt since approximately 4.4 has set the verify callback on both the SSL store and the SSL context. Only the latter is actually needed. This is normally not a problem, but openssl prior to 1.0.2 uses the verify code to find the intermediate certificates for any local certificate that has been set which can lead to verification errors for the local certificate to be emitted. Task-number: QTBUG-33228 Task-number: QTBUG-7200 Task-number: QTBUG-24234 Change-Id: Ie4115e7f7faa1267ea9b807c01b1ed6604c4a16c Reviewed-by: Peter Hartmann <phartmann@blackberry.com> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
* | | Ensure weak ciphers are not part of the default SSL configuration.Richard J. Moore2014-01-213-2/+7
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Any cipher that is < 128 bits is excluded from the default SSL configuration. These ciphers are still included in the list of availableCiphers() and can be used by applications if required. Calling QSslSocket::setDefaultCiphers(QSslSocket::availableCiphers()) will restore the old behavior. Note that in doing so I spotted that calling defaultCiphers() before doing other actions with SSL had an existing bug that I've addressed as part of the change. [ChangeLog][Important Behavior Changes] The default set of ciphers used by QSslSocket has been changed to exclude ciphers that are using key lengths smaller than 128 bits. These ciphers are still available and can be enabled by applications if required. Change-Id: If2241dda67b624e5febf788efa1369f38c6b1dba Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
* / expand tabs and related whitespace fixes in *.{cpp,h,qdoc}Oswald Buddenhagen2014-01-132-21/+21
|/ | | | | | | | the diff -w for this commit is empty. Started-by: Thiago Macieira <thiago.macieira@intel.com> Change-Id: I77bb84e71c63ce75e0709e5b94bee18e3ce6ab9e Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
* SSL: blacklist ANSSI intermediate certificatePeter Hartmann2013-12-101-0/+2
| | | | | | | | ... because it was used to operate a man-in-the-middle proxy. Task-number: QTBUG-35474 Change-Id: Ic7f19708b278b866e4f06533cbd84e0ff43357e9 Reviewed-by: Richard J. Moore <rich@kde.org>
* QSslConfiguration: rename [get]session() to [get]sessionTicket()Peter Hartmann2013-11-085-18/+18
| | | | | | | | to reflect the fact that this returns and sets the whole session ticket, and not just the session ID. Change-Id: I00fe2bc4197dbcd7a02b3ae4f2f84e3a2a7edad0 Reviewed-by: Richard J. Moore <rich@kde.org>
* use private linkage where possibleOswald Buddenhagen2013-10-311-1/+1
| | | | | | Change-Id: Ie8eaa71bee87654c21218a23efd7e9d65b71f022 Reviewed-by: Joerg Bornemann <joerg.bornemann@digia.com> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
* use the right scopeOswald Buddenhagen2013-10-311-1/+1
| | | | | | | | | "windows" only worked more or less by accident (it's the opposite of "console" and just happens to be the default on windows). Change-Id: Ib60c8ae5aea04f28207c05cc0005183dd6eb6244 Reviewed-by: Joerg Bornemann <joerg.bornemann@digia.com> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
* Doc: Adding mark-up to boolean default values.Jerome Pasion2013-10-087-33/+33
| | | | | | | | | | | | | | | | | Default values should have mark-up to denote that they are code. This commit changes: -"property is true" to "property is \c true". -"Returns true" to "Returns \c true". -"property is false" to "property is \c false". -"returns true" to "returns \c true". -"returns false" to "returns \c false". src/3rdparty and non-documentation instances were ignored. Task-number: QTBUG-33360 Change-Id: Ie87eaa57af947caa1230602b61c5c46292a4cf4e Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com> Reviewed-by: Jerome Pasion <jerome.pasion@digia.com>
* Fix ssh root certificates path for Blackberry playbook OS.sfabry2013-10-031-0/+1
| | | | | | | | | This was removed by commit 4c8d8a72ec65f409394075ef50401265e495c1dd But without it Playbook OS 2.1.0.1753 could not access ssh properly. Change-Id: I18e136eaede2a5dffeb10b5fe31023b9aef709cb Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
* Remove redundant code.Jędrzej Nowacki2013-09-291-2/+0
| | | | | | | | QPair is documented to initialize members Change-Id: I1dccfd265521ca3ca1a648b161c0a163c72e2f2e Reviewed-by: Peter Hartmann <phartmann@blackberry.com> Reviewed-by: Richard J. Moore <rich@kde.org>
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-25 10:14:55 +0000