From 3c24dddaf963026c6e3cd90dd7d538dfa8044c83 Mon Sep 17 00:00:00 2001 From: Peter Hartmann Date: Thu, 5 Feb 2015 14:05:21 +0100 Subject: SSL NPN negotiation: Do not abort on unmatched protocols ... but choose HTTP/1.1 and continue connecting anyhow. According to the NPN spec, actually we should choose SPDY: "In the event that the client doesn't support any of server's protocols, or the server doesn't advertise any, it SHOULD select the first protocol that it supports." However, some tested servers did not advertise anything and did not support SPDY, so blindly trying the newest protocol would fail. We are conservative in that case and choose HTTP. Task-number: QTBUG-40714 Change-Id: Ia8aaf01fea74e13d9e4416306f85f1890b25559e Reviewed-by: Richard J. Moore --- src/network/ssl/qsslsocket_openssl.cpp | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) (limited to 'src/network/ssl') diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 8833e3fdd8..0e1a3e53c9 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1518,14 +1518,20 @@ void QSslSocketBackendPrivate::continueHandshake() } #if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) - const unsigned char *proto = 0; - unsigned int proto_len = 0; - q_SSL_get0_next_proto_negotiated(ssl, &proto, &proto_len); - if (proto_len) - configuration.nextNegotiatedProtocol = QByteArray(reinterpret_cast(proto), proto_len); - else - configuration.nextNegotiatedProtocol.clear(); + configuration.nextProtocolNegotiationStatus = sslContextPointer->npnContext().status; + if (sslContextPointer->npnContext().status == QSslConfiguration::NextProtocolNegotiationUnsupported) { + // we could not agree -> be conservative and use HTTP/1.1 + configuration.nextNegotiatedProtocol = QByteArrayLiteral("http/1.1"); + } else { + const unsigned char *proto = 0; + unsigned int proto_len = 0; + q_SSL_get0_next_proto_negotiated(ssl, &proto, &proto_len); + if (proto_len) + configuration.nextNegotiatedProtocol = QByteArray(reinterpret_cast(proto), proto_len); + else + configuration.nextNegotiatedProtocol.clear(); + } #endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... connectionEncrypted = true; -- cgit v1.2.3