From 5c19fad8c178b055e8864b2576cfa3cbaa44a19e Mon Sep 17 00:00:00 2001 From: "Richard J. Moore" Date: Fri, 17 Jan 2014 21:23:20 +0000 Subject: Ensure weak ciphers are not part of the default SSL configuration. Any cipher that is < 128 bits is excluded from the default SSL configuration. These ciphers are still included in the list of availableCiphers() and can be used by applications if required. Calling QSslSocket::setDefaultCiphers(QSslSocket::availableCiphers()) will restore the old behavior. Note that in doing so I spotted that calling defaultCiphers() before doing other actions with SSL had an existing bug that I've addressed as part of the change. [ChangeLog][Important Behavior Changes] The default set of ciphers used by QSslSocket has been changed to exclude ciphers that are using key lengths smaller than 128 bits. These ciphers are still available and can be enabled by applications if required. Change-Id: If2241dda67b624e5febf788efa1369f38c6b1dba Reviewed-by: Thiago Macieira --- .../auto/network/ssl/qsslsocket/tst_qsslsocket.cpp | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) (limited to 'tests') diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp index 82543fbc91..3162165139 100644 --- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp +++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp @@ -589,13 +589,13 @@ void tst_QSslSocket::ciphers() return; QSslSocket socket; - QCOMPARE(socket.ciphers(), QSslSocket::supportedCiphers()); + QCOMPARE(socket.ciphers(), QSslSocket::defaultCiphers()); socket.setCiphers(QList()); QVERIFY(socket.ciphers().isEmpty()); socket.setCiphers(socket.defaultCiphers()); - QCOMPARE(socket.ciphers(), QSslSocket::supportedCiphers()); + QCOMPARE(socket.ciphers(), QSslSocket::defaultCiphers()); socket.setCiphers(socket.defaultCiphers()); - QCOMPARE(socket.ciphers(), QSslSocket::supportedCiphers()); + QCOMPARE(socket.ciphers(), QSslSocket::defaultCiphers()); // Task 164356 socket.setCiphers("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); @@ -678,6 +678,11 @@ void tst_QSslSocket::sessionCipher() if (!socket->waitForEncrypted(5000)) QSKIP("Skipping flaky test - See QTBUG-29941"); QVERIFY(!socket->sessionCipher().isNull()); + + qDebug() << "Supported Ciphers:" << QSslSocket::supportedCiphers(); + qDebug() << "Default Ciphers:" << QSslSocket::defaultCiphers(); + qDebug() << "Session Cipher:" << socket->sessionCipher(); + QVERIFY(QSslSocket::supportedCiphers().contains(socket->sessionCipher())); socket->disconnectFromHost(); QVERIFY(socket->waitForDisconnected()); @@ -1386,6 +1391,15 @@ void tst_QSslSocket::defaultCaCertificates() void tst_QSslSocket::defaultCiphers() { + if (!QSslSocket::supportsSsl()) + return; + + QList ciphers = QSslSocket::defaultCiphers(); + QVERIFY(ciphers.size() > 1); + + QSslSocket socket; + QCOMPARE(socket.defaultCiphers(), ciphers); + QCOMPARE(socket.ciphers(), ciphers); } void tst_QSslSocket::resetDefaultCiphers() @@ -1410,8 +1424,6 @@ void tst_QSslSocket::supportedCiphers() QSslSocket socket; QCOMPARE(socket.supportedCiphers(), ciphers); - QCOMPARE(socket.defaultCiphers(), ciphers); - QCOMPARE(socket.ciphers(), ciphers); } void tst_QSslSocket::systemCaCertificates() -- cgit v1.2.3