TLS: Mark TLS 1.0, 1.1 and DTLS 1.0 deprecated
As per the best practice laid forth in RFC-8996. TLS 1.2 was recommended from 2008 until TLS 1.3 was released in 2018. [ChangeLog][QtNetwork][QSslSocket] TLS 1.0, 1.1 and DTLS 1.0 are now deprecated, as recommended by RFC-8996. Fixes: QTBUG-92880 Change-Id: I90cebcfb07cfce623af7ac9f2b66ce9d02586b54 Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>bb10
parent
664a6621fb
commit
bb93c641a2
|
|
@ -50,7 +50,7 @@
|
|||
|
||||
//! [0]
|
||||
QSslConfiguration config = sslSocket.sslConfiguration();
|
||||
config.setProtocol(QSsl::TlsV1_0);
|
||||
config.setProtocol(QSsl::TlsV1_2);
|
||||
sslSocket.setSslConfiguration(config);
|
||||
//! [0]
|
||||
|
||||
|
|
|
|||
|
|
@ -73,18 +73,18 @@ namespace QSsl {
|
|||
};
|
||||
|
||||
enum SslProtocol {
|
||||
TlsV1_0,
|
||||
TlsV1_1,
|
||||
TlsV1_0 QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."),
|
||||
TlsV1_1 QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."),
|
||||
TlsV1_2,
|
||||
AnyProtocol,
|
||||
SecureProtocols,
|
||||
|
||||
TlsV1_0OrLater,
|
||||
TlsV1_1OrLater,
|
||||
TlsV1_0OrLater QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."),
|
||||
TlsV1_1OrLater QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."),
|
||||
TlsV1_2OrLater,
|
||||
|
||||
DtlsV1_0,
|
||||
DtlsV1_0OrLater,
|
||||
DtlsV1_0 QT_DEPRECATED_VERSION_X_6_3("Use DtlsV1_2OrLater instead."),
|
||||
DtlsV1_0OrLater QT_DEPRECATED_VERSION_X_6_3("Use DtlsV1_2OrLater instead."),
|
||||
DtlsV1_2,
|
||||
DtlsV1_2OrLater,
|
||||
|
||||
|
|
|
|||
|
|
@ -107,7 +107,7 @@ const char QSslConfiguration::NextProtocolHttp1_1[] = "http/1.1";
|
|||
change the settings in the related SSL connection. You must call
|
||||
setSslConfiguration on a modified QSslConfiguration object to
|
||||
achieve that. The following example illustrates how to change the
|
||||
protocol to TLSv1_0 in a QSslSocket object:
|
||||
protocol to TLSv1_2 in a QSslSocket object:
|
||||
|
||||
\snippet code/src_network_ssl_qsslconfiguration.cpp 0
|
||||
|
||||
|
|
|
|||
|
|
@ -2092,6 +2092,8 @@ bool QSslSocketPrivate::verifyProtocolSupported(const char *where)
|
|||
// Should not be used when configuring QSslSocket.
|
||||
protocolName = QLatin1String("UnknownProtocol");
|
||||
Q_FALLTHROUGH();
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
case QSsl::DtlsV1_0:
|
||||
case QSsl::DtlsV1_2:
|
||||
case QSsl::DtlsV1_0OrLater:
|
||||
|
|
@ -2100,6 +2102,7 @@ bool QSslSocketPrivate::verifyProtocolSupported(const char *where)
|
|||
setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError,
|
||||
QSslSocket::tr("Attempted to use an unsupported protocol."));
|
||||
return false;
|
||||
QT_WARNING_POP
|
||||
default:
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -808,6 +808,8 @@ QSslCipher QTlsBackend::createCiphersuite(const QString &descriptionOneLine, int
|
|||
QString protoString = descriptionList.at(1).toString();
|
||||
ciph.d->protocolString = protoString;
|
||||
ciph.d->protocol = QSsl::UnknownProtocol;
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
if (protoString == QLatin1String("TLSv1"))
|
||||
ciph.d->protocol = QSsl::TlsV1_0;
|
||||
else if (protoString == QLatin1String("TLSv1.1"))
|
||||
|
|
@ -816,6 +818,7 @@ QSslCipher QTlsBackend::createCiphersuite(const QString &descriptionOneLine, int
|
|||
ciph.d->protocol = QSsl::TlsV1_2;
|
||||
else if (protoString == QLatin1String("TLSv1.3"))
|
||||
ciph.d->protocol = QSsl::TlsV1_3;
|
||||
QT_WARNING_POP
|
||||
|
||||
if (descriptionList.at(2).startsWith(QLatin1String("Kx=")))
|
||||
ciph.d->keyExchangeMethod = descriptionList.at(2).mid(3).toString();
|
||||
|
|
|
|||
|
|
@ -1421,9 +1421,12 @@ void QDtlsPrivateOpenSSL::fetchNegotiatedParameters()
|
|||
// TLS 1.2, that's how it's set by OpenSSL (and that's what they are?).
|
||||
|
||||
switch (q_SSL_version(dtls.tlsConnection.data())) {
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
case DTLS1_VERSION:
|
||||
sessionProtocol = QSsl::DtlsV1_0;
|
||||
break;
|
||||
QT_WARNING_POP
|
||||
case DTLS1_2_VERSION:
|
||||
sessionProtocol = QSsl::DtlsV1_2;
|
||||
break;
|
||||
|
|
|
|||
|
|
@ -102,13 +102,16 @@ long QSslContext::setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptio
|
|||
{
|
||||
long options;
|
||||
switch (protocol) {
|
||||
case QSsl::SecureProtocols:
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
case QSsl::TlsV1_0OrLater:
|
||||
options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
|
||||
break;
|
||||
case QSsl::TlsV1_1OrLater:
|
||||
options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1;
|
||||
break;
|
||||
QT_WARNING_POP
|
||||
case QSsl::SecureProtocols:
|
||||
case QSsl::TlsV1_2OrLater:
|
||||
options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
|
||||
break;
|
||||
|
|
@ -363,8 +366,11 @@ void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mo
|
|||
bool isDtls = false;
|
||||
init_context:
|
||||
switch (sslContext->sslConfiguration.protocol()) {
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
case QSsl::DtlsV1_0:
|
||||
case QSsl::DtlsV1_0OrLater:
|
||||
QT_WARNING_POP
|
||||
case QSsl::DtlsV1_2:
|
||||
case QSsl::DtlsV1_2OrLater:
|
||||
#if QT_CONFIG(dtls)
|
||||
|
|
@ -419,6 +425,8 @@ init_context:
|
|||
long maxVersion = anyVersion;
|
||||
|
||||
switch (sslContext->sslConfiguration.protocol()) {
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
case QSsl::TlsV1_0:
|
||||
minVersion = TLS1_VERSION;
|
||||
maxVersion = TLS1_VERSION;
|
||||
|
|
@ -427,6 +435,7 @@ init_context:
|
|||
minVersion = TLS1_1_VERSION;
|
||||
maxVersion = TLS1_1_VERSION;
|
||||
break;
|
||||
QT_WARNING_POP
|
||||
case QSsl::TlsV1_2:
|
||||
minVersion = TLS1_2_VERSION;
|
||||
maxVersion = TLS1_2_VERSION;
|
||||
|
|
@ -443,7 +452,8 @@ init_context:
|
|||
break;
|
||||
// Ranges:
|
||||
case QSsl::AnyProtocol:
|
||||
case QSsl::SecureProtocols:
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
case QSsl::TlsV1_0OrLater:
|
||||
minVersion = TLS1_VERSION;
|
||||
maxVersion = 0;
|
||||
|
|
@ -452,10 +462,14 @@ init_context:
|
|||
minVersion = TLS1_1_VERSION;
|
||||
maxVersion = 0;
|
||||
break;
|
||||
QT_WARNING_POP
|
||||
case QSsl::SecureProtocols:
|
||||
case QSsl::TlsV1_2OrLater:
|
||||
minVersion = TLS1_2_VERSION;
|
||||
maxVersion = 0;
|
||||
break;
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
case QSsl::DtlsV1_0:
|
||||
minVersion = DTLS1_VERSION;
|
||||
maxVersion = DTLS1_VERSION;
|
||||
|
|
@ -464,6 +478,7 @@ init_context:
|
|||
minVersion = DTLS1_VERSION;
|
||||
maxVersion = DTLS_MAX_VERSION;
|
||||
break;
|
||||
QT_WARNING_POP
|
||||
case QSsl::DtlsV1_2:
|
||||
minVersion = DTLS1_2_VERSION;
|
||||
maxVersion = DTLS1_2_VERSION;
|
||||
|
|
|
|||
|
|
@ -1159,10 +1159,13 @@ QSsl::SslProtocol TlsCryptographOpenSSL::sessionProtocol() const
|
|||
|
||||
const int ver = q_SSL_version(ssl);
|
||||
switch (ver) {
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
case 0x301:
|
||||
return QSsl::TlsV1_0;
|
||||
case 0x302:
|
||||
return QSsl::TlsV1_1;
|
||||
QT_WARNING_POP
|
||||
case 0x303:
|
||||
return QSsl::TlsV1_2;
|
||||
case 0x304:
|
||||
|
|
|
|||
|
|
@ -291,10 +291,13 @@ QList<QSsl::SslProtocol> QTlsBackendOpenSSL::supportedProtocols() const
|
|||
|
||||
protocols << QSsl::AnyProtocol;
|
||||
protocols << QSsl::SecureProtocols;
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
protocols << QSsl::TlsV1_0;
|
||||
protocols << QSsl::TlsV1_0OrLater;
|
||||
protocols << QSsl::TlsV1_1;
|
||||
protocols << QSsl::TlsV1_1OrLater;
|
||||
QT_WARNING_POP
|
||||
protocols << QSsl::TlsV1_2;
|
||||
protocols << QSsl::TlsV1_2OrLater;
|
||||
|
||||
|
|
@ -304,8 +307,11 @@ QList<QSsl::SslProtocol> QTlsBackendOpenSSL::supportedProtocols() const
|
|||
#endif // TLS1_3_VERSION
|
||||
|
||||
#if QT_CONFIG(dtls)
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
protocols << QSsl::DtlsV1_0;
|
||||
protocols << QSsl::DtlsV1_0OrLater;
|
||||
QT_WARNING_POP
|
||||
protocols << QSsl::DtlsV1_2;
|
||||
protocols << QSsl::DtlsV1_2OrLater;
|
||||
#endif // dtls
|
||||
|
|
|
|||
|
|
@ -176,8 +176,11 @@ QList<QSslCipher> defaultCiphers()
|
|||
// @temp (I hope), stolen from qsslsocket_winrt.cpp
|
||||
const QString protocolStrings[] = { QStringLiteral("TLSv1"), QStringLiteral("TLSv1.1"),
|
||||
QStringLiteral("TLSv1.2"), QStringLiteral("TLSv1.3") };
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
const QSsl::SslProtocol protocols[] = { QSsl::TlsV1_0, QSsl::TlsV1_1,
|
||||
QSsl::TlsV1_2, QSsl::TlsV1_3 };
|
||||
QT_WARNING_POP
|
||||
const int size = ARRAYSIZE(protocols);
|
||||
static_assert(size == ARRAYSIZE(protocolStrings));
|
||||
ciphers.reserve(size);
|
||||
|
|
@ -264,10 +267,13 @@ QList<QSsl::SslProtocol> QSchannelBackend::supportedProtocols() const
|
|||
|
||||
protocols << QSsl::AnyProtocol;
|
||||
protocols << QSsl::SecureProtocols;
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
protocols << QSsl::TlsV1_0;
|
||||
protocols << QSsl::TlsV1_0OrLater;
|
||||
protocols << QSsl::TlsV1_1;
|
||||
protocols << QSsl::TlsV1_1OrLater;
|
||||
QT_WARNING_POP
|
||||
protocols << QSsl::TlsV1_2;
|
||||
protocols << QSsl::TlsV1_2OrLater;
|
||||
|
||||
|
|
@ -430,9 +436,12 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol)
|
|||
switch (protocol) {
|
||||
case QSsl::UnknownProtocol:
|
||||
return DWORD(-1);
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
case QSsl::DtlsV1_0:
|
||||
case QSsl::DtlsV1_2:
|
||||
case QSsl::DtlsV1_0OrLater:
|
||||
QT_WARNING_POP
|
||||
case QSsl::DtlsV1_2:
|
||||
case QSsl::DtlsV1_2OrLater:
|
||||
return DWORD(-1); // Not supported at the moment (@future)
|
||||
case QSsl::AnyProtocol:
|
||||
|
|
@ -440,12 +449,15 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol)
|
|||
if (supportsTls13())
|
||||
protocols |= SP_PROT_TLS1_3;
|
||||
break;
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
case QSsl::TlsV1_0:
|
||||
protocols = SP_PROT_TLS1_0;
|
||||
break;
|
||||
case QSsl::TlsV1_1:
|
||||
protocols = SP_PROT_TLS1_1;
|
||||
break;
|
||||
QT_WARNING_POP
|
||||
case QSsl::TlsV1_2:
|
||||
protocols = SP_PROT_TLS1_2;
|
||||
break;
|
||||
|
|
@ -455,7 +467,8 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol)
|
|||
else
|
||||
protocols = DWORD(-1);
|
||||
break;
|
||||
case QSsl::SecureProtocols: // TLS v1.0 and later is currently considered secure
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
case QSsl::TlsV1_0OrLater:
|
||||
// For the "OrLater" protocols we fall through from one to the next, adding all of them
|
||||
// in ascending order
|
||||
|
|
@ -464,6 +477,8 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol)
|
|||
case QSsl::TlsV1_1OrLater:
|
||||
protocols |= SP_PROT_TLS1_1;
|
||||
Q_FALLTHROUGH();
|
||||
QT_WARNING_POP
|
||||
case QSsl::SecureProtocols: // TLS v1.2 and later is currently considered secure
|
||||
case QSsl::TlsV1_2OrLater:
|
||||
protocols |= SP_PROT_TLS1_2;
|
||||
Q_FALLTHROUGH();
|
||||
|
|
@ -504,8 +519,11 @@ QSsl::SslProtocol toQtSslProtocol(DWORD protocol)
|
|||
return q_protocol; \
|
||||
}
|
||||
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
MAP_PROTOCOL(SP_PROT_TLS1_0, QSsl::TlsV1_0)
|
||||
MAP_PROTOCOL(SP_PROT_TLS1_1, QSsl::TlsV1_1)
|
||||
QT_WARNING_POP
|
||||
MAP_PROTOCOL(SP_PROT_TLS1_2, QSsl::TlsV1_2)
|
||||
MAP_PROTOCOL(SP_PROT_TLS1_3, QSsl::TlsV1_3)
|
||||
#undef MAP_PROTOCOL
|
||||
|
|
|
|||
|
|
@ -439,10 +439,13 @@ QSsl::SslProtocol TlsCryptographSecureTransport::sessionProtocol() const
|
|||
}
|
||||
|
||||
switch (protocol) {
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
case kTLSProtocol1:
|
||||
return QSsl::TlsV1_0;
|
||||
case kTLSProtocol11:
|
||||
return QSsl::TlsV1_1;
|
||||
QT_WARNING_POP
|
||||
case kTLSProtocol12:
|
||||
return QSsl::TlsV1_2;
|
||||
case kTLSProtocol13:
|
||||
|
|
@ -922,6 +925,8 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
|
|||
|
||||
OSStatus err = errSecSuccess;
|
||||
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
if (configuration.protocol() == QSsl::TlsV1_0) {
|
||||
#ifdef QSSLSOCKET_DEBUG
|
||||
qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.0";
|
||||
|
|
@ -936,6 +941,7 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
|
|||
err = SSLSetProtocolVersionMin(context, kTLSProtocol11);
|
||||
if (err == errSecSuccess)
|
||||
err = SSLSetProtocolVersionMax(context, kTLSProtocol11);
|
||||
QT_WARNING_POP
|
||||
} else if (configuration.protocol() == QSsl::TlsV1_2) {
|
||||
#ifdef QSSLSOCKET_DEBUG
|
||||
qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2";
|
||||
|
|
@ -950,9 +956,11 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
|
|||
err = SSLSetProtocolVersionMin(context, kTLSProtocol1);
|
||||
} else if (configuration.protocol() == QSsl::SecureProtocols) {
|
||||
#ifdef QSSLSOCKET_DEBUG
|
||||
qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1 - TLSv1.2";
|
||||
qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2";
|
||||
#endif
|
||||
err = SSLSetProtocolVersionMin(context, kTLSProtocol1);
|
||||
err = SSLSetProtocolVersionMin(context, kTLSProtocol12);
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
} else if (configuration.protocol() == QSsl::TlsV1_0OrLater) {
|
||||
#ifdef QSSLSOCKET_DEBUG
|
||||
qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1 - TLSv1.2";
|
||||
|
|
@ -963,6 +971,7 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
|
|||
qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.1 - TLSv1.2";
|
||||
#endif
|
||||
err = SSLSetProtocolVersionMin(context, kTLSProtocol11);
|
||||
QT_WARNING_POP
|
||||
} else if (configuration.protocol() == QSsl::TlsV1_2OrLater) {
|
||||
#ifdef QSSLSOCKET_DEBUG
|
||||
qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2";
|
||||
|
|
@ -999,11 +1008,14 @@ bool TlsCryptographSecureTransport::verifySessionProtocol() const
|
|||
if (configuration.protocol() == QSsl::AnyProtocol)
|
||||
protocolOk = true;
|
||||
else if (configuration.protocol() == QSsl::SecureProtocols)
|
||||
protocolOk = (sessionProtocol() >= QSsl::TlsV1_0);
|
||||
protocolOk = (sessionProtocol() >= QSsl::TlsV1_2);
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
else if (configuration.protocol() == QSsl::TlsV1_0OrLater)
|
||||
protocolOk = (sessionProtocol() >= QSsl::TlsV1_0);
|
||||
else if (configuration.protocol() == QSsl::TlsV1_1OrLater)
|
||||
protocolOk = (sessionProtocol() >= QSsl::TlsV1_1);
|
||||
QT_WARNING_POP
|
||||
else if (configuration.protocol() == QSsl::TlsV1_2OrLater)
|
||||
protocolOk = (sessionProtocol() >= QSsl::TlsV1_2);
|
||||
else if (configuration.protocol() == QSsl::TlsV1_3OrLater)
|
||||
|
|
|
|||
|
|
@ -294,10 +294,13 @@ QList<QSsl::SslProtocol> QSecureTransportBackend::supportedProtocols() const
|
|||
|
||||
protocols << QSsl::AnyProtocol;
|
||||
protocols << QSsl::SecureProtocols;
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
protocols << QSsl::TlsV1_0;
|
||||
protocols << QSsl::TlsV1_0OrLater;
|
||||
protocols << QSsl::TlsV1_1;
|
||||
protocols << QSsl::TlsV1_1OrLater;
|
||||
QT_WARNING_POP
|
||||
protocols << QSsl::TlsV1_2;
|
||||
protocols << QSsl::TlsV1_2OrLater;
|
||||
|
||||
|
|
|
|||
|
|
@ -99,8 +99,11 @@ QDtlsBasePrivate::cookieGeneratorParameters() const
|
|||
bool QDtlsBasePrivate::isDtlsProtocol(QSsl::SslProtocol protocol)
|
||||
{
|
||||
switch (protocol) {
|
||||
QT_WARNING_PUSH
|
||||
QT_WARNING_DISABLE_DEPRECATED
|
||||
case QSsl::DtlsV1_0:
|
||||
case QSsl::DtlsV1_0OrLater:
|
||||
QT_WARNING_POP
|
||||
case QSsl::DtlsV1_2:
|
||||
case QSsl::DtlsV1_2OrLater:
|
||||
return true;
|
||||
|
|
|
|||
|
|
@ -825,6 +825,13 @@ void tst_QSslSocket::simpleConnect()
|
|||
return;
|
||||
|
||||
QSslSocket socket;
|
||||
|
||||
// Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above
|
||||
// QTQAINFRA-4499
|
||||
QSslConfiguration config = socket.sslConfiguration();
|
||||
config.setProtocol(QSsl::TlsV1_0OrLater);
|
||||
socket.setSslConfiguration(config);
|
||||
|
||||
QSignalSpy connectedSpy(&socket, SIGNAL(connected()));
|
||||
QSignalSpy hostFoundSpy(&socket, SIGNAL(hostFound()));
|
||||
QSignalSpy disconnectedSpy(&socket, SIGNAL(disconnected()));
|
||||
|
|
@ -887,6 +894,12 @@ void tst_QSslSocket::simpleConnectWithIgnore()
|
|||
QSignalSpy encryptedSpy(&socket, SIGNAL(encrypted()));
|
||||
QSignalSpy sslErrorsSpy(&socket, SIGNAL(sslErrors(QList<QSslError>)));
|
||||
|
||||
// Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above
|
||||
// QTQAINFRA-4499
|
||||
QSslConfiguration config = socket.sslConfiguration();
|
||||
config.setProtocol(QSsl::TlsV1_0OrLater);
|
||||
socket.setSslConfiguration(config);
|
||||
|
||||
connect(&socket, SIGNAL(readyRead()), this, SLOT(exitLoop()));
|
||||
connect(&socket, SIGNAL(encrypted()), this, SLOT(exitLoop()));
|
||||
connect(&socket, SIGNAL(connected()), this, SLOT(exitLoop()));
|
||||
|
|
@ -936,10 +949,12 @@ void tst_QSslSocket::sslErrors()
|
|||
QFETCH(int, port);
|
||||
|
||||
QSslSocketPtr socket = newSocket();
|
||||
if (isTestingSchannel) {
|
||||
// Needs to be < 1.2 because of the old certificate and <= 1.0 because of the mail server
|
||||
socket->setProtocol(QSsl::SslProtocol::TlsV1_0);
|
||||
}
|
||||
|
||||
// Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above
|
||||
// QTQAINFRA-4499
|
||||
QSslConfiguration config = socket->sslConfiguration();
|
||||
config.setProtocol(QSsl::TlsV1_0OrLater);
|
||||
socket->setSslConfiguration(config);
|
||||
|
||||
QSignalSpy sslErrorsSpy(socket.data(), SIGNAL(sslErrors(QList<QSslError>)));
|
||||
QSignalSpy peerVerifyErrorSpy(socket.data(), SIGNAL(peerVerifyError(QSslError)));
|
||||
|
|
@ -1438,7 +1453,7 @@ public:
|
|||
config(QSslConfiguration::defaultConfiguration()),
|
||||
ignoreSslErrors(true),
|
||||
peerVerifyMode(QSslSocket::AutoVerifyPeer),
|
||||
protocol(QSsl::TlsV1_0),
|
||||
protocol(QSsl::SecureProtocols),
|
||||
m_keyFile(keyFile),
|
||||
m_certFile(certFile),
|
||||
m_interFile(interFile)
|
||||
|
|
@ -1460,6 +1475,7 @@ signals:
|
|||
void handshakeInterruptedOnError(const QSslError& rrror);
|
||||
void gotAlert(QSsl::AlertLevel level, QSsl::AlertType type, const QString &message);
|
||||
void alertSent(QSsl::AlertLevel level, QSsl::AlertType type, const QString &message);
|
||||
void socketEncrypted(QSslSocket *);
|
||||
|
||||
protected:
|
||||
void incomingConnection(qintptr socketDescriptor) override
|
||||
|
|
@ -1477,6 +1493,7 @@ protected:
|
|||
connect(socket, &QSslSocket::alertReceived, this, &SslServer::gotAlert);
|
||||
connect(socket, &QSslSocket::alertSent, this, &SslServer::alertSent);
|
||||
connect(socket, &QSslSocket::preSharedKeyAuthenticationRequired, this, &SslServer::preSharedKeyAuthenticationRequired);
|
||||
connect(socket, &QSslSocket::encrypted, this, [this](){ emit socketEncrypted(socket); });
|
||||
|
||||
QFile file(m_keyFile);
|
||||
QVERIFY(file.open(QIODevice::ReadOnly));
|
||||
|
|
@ -1545,10 +1562,10 @@ void tst_QSslSocket::protocolServerSide_data()
|
|||
QTest::newRow("any-any") << QSsl::AnyProtocol << QSsl::AnyProtocol << true;
|
||||
QTest::newRow("secure-secure") << QSsl::SecureProtocols << QSsl::SecureProtocols << true;
|
||||
|
||||
QTest::newRow("tls1.0-secure") << QSsl::TlsV1_0 << QSsl::SecureProtocols << true;
|
||||
QTest::newRow("tls1.0-secure") << QSsl::TlsV1_0 << QSsl::SecureProtocols << false;
|
||||
QTest::newRow("tls1.0-any") << QSsl::TlsV1_0 << QSsl::AnyProtocol << true;
|
||||
|
||||
QTest::newRow("secure-tls1.0") << QSsl::SecureProtocols << QSsl::TlsV1_0 << true;
|
||||
QTest::newRow("secure-tls1.0") << QSsl::SecureProtocols << QSsl::TlsV1_0 << false;
|
||||
QTest::newRow("secure-any") << QSsl::SecureProtocols << QSsl::AnyProtocol << true;
|
||||
|
||||
QTest::newRow("tls1.0orlater-tls1.0") << QSsl::TlsV1_0OrLater << QSsl::TlsV1_0 << true;
|
||||
|
|
@ -1646,6 +1663,7 @@ void tst_QSslSocket::serverCipherPreferences()
|
|||
// First using the default (server preference)
|
||||
{
|
||||
SslServer server;
|
||||
server.protocol = QSsl::TlsV1_0;
|
||||
server.ciphers = {QSslCipher("AES128-SHA"), QSslCipher("AES256-SHA")};
|
||||
QVERIFY(server.listen());
|
||||
|
||||
|
|
@ -1656,6 +1674,7 @@ void tst_QSslSocket::serverCipherPreferences()
|
|||
socket = &client;
|
||||
|
||||
auto sslConfig = socket->sslConfiguration();
|
||||
sslConfig.setProtocol(QSsl::TlsV1_0OrLater);
|
||||
sslConfig.setCiphers({QSslCipher("AES256-SHA"), QSslCipher("AES128-SHA")});
|
||||
socket->setSslConfiguration(sslConfig);
|
||||
|
||||
|
|
@ -1678,6 +1697,7 @@ void tst_QSslSocket::serverCipherPreferences()
|
|||
QSslConfiguration config = QSslConfiguration::defaultConfiguration();
|
||||
config.setSslOption(QSsl::SslOptionDisableServerCipherPreference, true);
|
||||
server.config = config;
|
||||
server.protocol = QSsl::TlsV1_0OrLater;
|
||||
server.ciphers = {QSslCipher("AES128-SHA"), QSslCipher("AES256-SHA")};
|
||||
QVERIFY(server.listen());
|
||||
|
||||
|
|
@ -1688,6 +1708,7 @@ void tst_QSslSocket::serverCipherPreferences()
|
|||
socket = &client;
|
||||
|
||||
auto sslConfig = socket->sslConfiguration();
|
||||
sslConfig.setProtocol(QSsl::TlsV1_0);
|
||||
sslConfig.setCiphers({QSslCipher("AES256-SHA"), QSslCipher("AES128-SHA")});
|
||||
socket->setSslConfiguration(sslConfig);
|
||||
|
||||
|
|
@ -1934,6 +1955,12 @@ void tst_QSslSocket::waitForConnectedEncryptedReadyRead()
|
|||
QSslSocketPtr socket = newSocket();
|
||||
this->socket = socket.data();
|
||||
|
||||
// Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above
|
||||
// QTQAINFRA-4499
|
||||
QSslConfiguration config = socket->sslConfiguration();
|
||||
config.setProtocol(QSsl::TlsV1_0OrLater);
|
||||
socket->setSslConfiguration(config);
|
||||
|
||||
connect(this->socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot()));
|
||||
socket->connectToHostEncrypted(QtNetworkSettings::imapServerName(), 993);
|
||||
|
||||
|
|
@ -2212,8 +2239,17 @@ void tst_QSslSocket::spontaneousWrite()
|
|||
receiver->startClientEncryption();
|
||||
|
||||
// SSL handshake:
|
||||
connect(receiver, SIGNAL(encrypted()), SLOT(exitLoop()));
|
||||
// Need to wait for both sides to emit encrypted as the ordering of which
|
||||
// ones emits encrypted() changes depending on whether we use TLS 1.2 or 1.3
|
||||
int waitFor = 2;
|
||||
auto earlyQuitter = [&waitFor]() {
|
||||
if (!--waitFor)
|
||||
exitLoop();
|
||||
};
|
||||
connect(receiver, &QSslSocket::encrypted, this, earlyQuitter);
|
||||
connect(sender, &QSslSocket::encrypted, this, earlyQuitter);
|
||||
enterLoop(1);
|
||||
|
||||
QVERIFY(!timeout());
|
||||
QVERIFY(sender->isEncrypted());
|
||||
QVERIFY(receiver->isEncrypted());
|
||||
|
|
@ -2256,9 +2292,21 @@ void tst_QSslSocket::setReadBufferSize()
|
|||
receiver->ignoreSslErrors();
|
||||
receiver->startClientEncryption();
|
||||
|
||||
// SSL handshake:
|
||||
connect(receiver, SIGNAL(encrypted()), SLOT(exitLoop()));
|
||||
// Need to wait for both sides to emit encrypted as the ordering of which
|
||||
// ones emits encrypted() changes depending on whether we use TLS 1.2 or 1.3
|
||||
int waitFor = 2;
|
||||
auto earlyQuitter = [&waitFor]() {
|
||||
if (!--waitFor)
|
||||
exitLoop();
|
||||
};
|
||||
connect(receiver, &QSslSocket::encrypted, this, earlyQuitter);
|
||||
connect(sender, &QSslSocket::encrypted, this, earlyQuitter);
|
||||
|
||||
enterLoop(1);
|
||||
if (!sender->isEncrypted()) {
|
||||
connect(sender, &QSslSocket::encrypted, this, &tst_QSslSocket::exitLoop);
|
||||
enterLoop(1);
|
||||
}
|
||||
QVERIFY(!timeout());
|
||||
QVERIFY(sender->isEncrypted());
|
||||
QVERIFY(receiver->isEncrypted());
|
||||
|
|
@ -3082,6 +3130,12 @@ void tst_QSslSocket::resume()
|
|||
QSslSocket socket;
|
||||
socket.setPauseMode(QAbstractSocket::PauseOnSslErrors);
|
||||
|
||||
// Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above
|
||||
// QTQAINFRA-4499
|
||||
QSslConfiguration config = socket.sslConfiguration();
|
||||
config.setProtocol(QSsl::TlsV1_0OrLater);
|
||||
socket.setSslConfiguration(config);
|
||||
|
||||
QSignalSpy sslErrorSpy(&socket, SIGNAL(sslErrors(QList<QSslError>)));
|
||||
QSignalSpy encryptedSpy(&socket, SIGNAL(encrypted()));
|
||||
QSignalSpy errorSpy(&socket, SIGNAL(errorOccurred(QAbstractSocket::SocketError)));
|
||||
|
|
@ -3414,6 +3468,7 @@ void tst_QSslSocket::dhServerCustomParamsNull()
|
|||
|
||||
SslServer server;
|
||||
server.ciphers = {QSslCipher("DHE-RSA-AES256-SHA"), QSslCipher("DHE-DSS-AES256-SHA")};
|
||||
server.protocol = QSsl::TlsV1_0;
|
||||
|
||||
QSslConfiguration cfg = server.config;
|
||||
cfg.setDiffieHellmanParameters(QSslDiffieHellmanParameters());
|
||||
|
|
@ -3425,6 +3480,9 @@ void tst_QSslSocket::dhServerCustomParamsNull()
|
|||
QTimer::singleShot(5000, &loop, SLOT(quit()));
|
||||
|
||||
QSslSocket client;
|
||||
QSslConfiguration config = client.sslConfiguration();
|
||||
config.setProtocol(QSsl::TlsV1_0);
|
||||
client.setSslConfiguration(config);
|
||||
socket = &client;
|
||||
connect(socket, SIGNAL(errorOccurred(QAbstractSocket::SocketError)), &loop, SLOT(quit()));
|
||||
connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot()));
|
||||
|
|
@ -3606,6 +3664,7 @@ void tst_QSslSocket::verifyClientCertificate()
|
|||
}
|
||||
|
||||
SslServer server;
|
||||
server.protocol = QSsl::TlsV1_0;
|
||||
server.addCaCertificates = testDataDir + "certs/bogus-ca.crt";
|
||||
server.ignoreSslErrors = false;
|
||||
server.peerVerifyMode = peerVerifyMode;
|
||||
|
|
@ -3619,6 +3678,9 @@ void tst_QSslSocket::verifyClientCertificate()
|
|||
QSslSocket client;
|
||||
client.setLocalCertificateChain(clientCerts);
|
||||
client.setPrivateKey(clientKey);
|
||||
QSslConfiguration config = client.sslConfiguration();
|
||||
config.setProtocol(QSsl::TlsV1_0OrLater);
|
||||
client.setSslConfiguration(config);
|
||||
socket = &client;
|
||||
|
||||
connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot()));
|
||||
|
|
@ -3696,11 +3758,19 @@ void tst_QSslSocket::readBufferMaxSize()
|
|||
socket = client.data();
|
||||
connect(socket, SIGNAL(errorOccurred(QAbstractSocket::SocketError)), &loop, SLOT(quit()));
|
||||
connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot()));
|
||||
connect(socket, SIGNAL(encrypted()), &loop, SLOT(quit()));
|
||||
|
||||
client->connectToHostEncrypted(QHostAddress(QHostAddress::LocalHost).toString(),
|
||||
server.serverPort());
|
||||
|
||||
int waitFor = 2;
|
||||
auto earlyQuitter = [&loop, &waitFor]() {
|
||||
if (!--waitFor)
|
||||
loop.exit();
|
||||
};
|
||||
|
||||
connect(socket, &QSslSocket::encrypted, &loop, earlyQuitter);
|
||||
connect(&server, &SslServer::socketEncrypted, &loop, earlyQuitter);
|
||||
|
||||
// Wait for 'encrypted' first:
|
||||
QTimer::singleShot(5000, &loop, SLOT(quit()));
|
||||
loop.exec();
|
||||
|
|
@ -3786,7 +3856,17 @@ void tst_QSslSocket::allowedProtocolNegotiation()
|
|||
|
||||
QEventLoop loop;
|
||||
QTimer::singleShot(5000, &loop, SLOT(quit()));
|
||||
connect(&clientSocket, SIGNAL(encrypted()), &loop, SLOT(quit()));
|
||||
|
||||
// Need to wait for both sides to emit encrypted as the ordering of which
|
||||
// ones emits encrypted() changes depending on whether we use TLS 1.2 or 1.3
|
||||
int waitFor = 2;
|
||||
auto earlyQuitter = [&loop, &waitFor]() {
|
||||
if (!--waitFor)
|
||||
loop.exit();
|
||||
};
|
||||
connect(&clientSocket, &QSslSocket::encrypted, &loop, earlyQuitter);
|
||||
connect(server.socket, &QSslSocket::encrypted, &loop, earlyQuitter);
|
||||
|
||||
loop.exec();
|
||||
|
||||
QVERIFY(server.socket->sslConfiguration().nextNegotiatedProtocol() ==
|
||||
|
|
@ -3852,7 +3932,7 @@ public:
|
|||
config(QSslConfiguration::defaultConfiguration()),
|
||||
ignoreSslErrors(true),
|
||||
peerVerifyMode(QSslSocket::AutoVerifyPeer),
|
||||
protocol(QSsl::TlsV1_0),
|
||||
protocol(QSsl::TlsV1_2),
|
||||
m_pskProvider()
|
||||
{
|
||||
m_pskProvider.m_server = true;
|
||||
|
|
@ -4622,6 +4702,15 @@ void tst_QSslSocket::alertMissingCertificate()
|
|||
|
||||
runner.enterLoopMSecs(1000);
|
||||
|
||||
if (clientSocket.isEncrypted()) {
|
||||
// When using TLS 1.3 the client side thinks it is connected very
|
||||
// quickly, before the server has finished processing. So wait for the
|
||||
// inevitable disconnect.
|
||||
QCOMPARE(clientSocket.sessionProtocol(), QSsl::TlsV1_3);
|
||||
connect(&clientSocket, &QSslSocket::disconnected, &runner, &QTestEventLoop::exitLoop);
|
||||
runner.enterLoopMSecs(10000);
|
||||
}
|
||||
|
||||
QVERIFY(serverSpy.count() > 0);
|
||||
QVERIFY(clientSpy.count() > 0);
|
||||
QVERIFY(server.socket && !server.socket->isEncrypted());
|
||||
|
|
|
|||
Loading…
Reference in New Issue