From ab731692e2ae38c85bbb14239fe15a22a9261c7e Mon Sep 17 00:00:00 2001 From: Timur Pocheptsov Date: Thu, 9 Aug 2018 14:03:17 +0200 Subject: QDtls: delay protocol version verification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A weird behavior of the DTLS server example, when linked with 1.0.2, exposed that client code, requesting an invalid protocol (for example, SSLv3) can end-up with connection encrypted with DTLS 1.2 (which is not that bad, but totally surprising). When we check the protocol version early in setDtlsConfiguration() and find a wrong version, we leave our previous configuration intact and we will use it later during the handshake. This is wrong. So now we let our user set whatever wrong configuration they have and later fail in TLS initialization, saying - 'Unsupported protocol, DTLS was expected'. Auto-test was reduced - the follow-up patch will introduce a new 'invalidConfiguration' auto-test. Change-Id: I9be054c6112eea11b7801a1595aaf1d34329e1d2 Reviewed-by: Edward Welbourne Reviewed-by: MÃ¥rten Nordheim --- tests/auto/network/ssl/qdtls/tst_qdtls.cpp | 6 ------ 1 file changed, 6 deletions(-) (limited to 'tests/auto/network/ssl') diff --git a/tests/auto/network/ssl/qdtls/tst_qdtls.cpp b/tests/auto/network/ssl/qdtls/tst_qdtls.cpp index 3a2c16ea66..6ca4ca9b92 100644 --- a/tests/auto/network/ssl/qdtls/tst_qdtls.cpp +++ b/tests/auto/network/ssl/qdtls/tst_qdtls.cpp @@ -284,12 +284,6 @@ void tst_QDtls::configuration() QFETCH(const QSslSocket::SslMode, mode); QDtls dtls(mode); QCOMPARE(dtls.dtlsConfiguration(), config); - // Default TLS (no 'D') configuration has a wrong protocol version: - QCOMPARE(dtls.setDtlsConfiguration(QSslConfiguration::defaultConfiguration()), false); - QCOMPARE(dtls.dtlsError(), QDtlsError::InvalidInputParameters); - // The previous failure did not change our default configuration: - QCOMPARE(dtls.dtlsConfiguration(), config); - // Now set a valid (non-default) configuration: config.setProtocol(QSsl::DtlsV1_0OrLater); config.setDtlsCookieVerificationEnabled(false); QCOMPARE(config.dtlsCookieVerificationEnabled(), false); -- cgit v1.2.3