TLS: Mark TLS 1.0, 1.1 and DTLS 1.0 deprecated

As per the best practice laid forth in RFC-8996.
TLS 1.2 was recommended from 2008 until TLS 1.3 was released in 2018.

[ChangeLog][QtNetwork][QSslSocket] TLS 1.0, 1.1 and DTLS 1.0 are now
deprecated, as recommended by RFC-8996.

Fixes: QTBUG-92880
Change-Id: I90cebcfb07cfce623af7ac9f2b66ce9d02586b54
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
bb10
Mårten Nordheim 2021-06-18 12:46:33 +02:00
parent 664a6621fb
commit bb93c641a2
14 changed files with 186 additions and 28 deletions

View File

@ -50,7 +50,7 @@
//! [0]
QSslConfiguration config = sslSocket.sslConfiguration();
config.setProtocol(QSsl::TlsV1_0);
config.setProtocol(QSsl::TlsV1_2);
sslSocket.setSslConfiguration(config);
//! [0]

View File

@ -73,18 +73,18 @@ namespace QSsl {
};
enum SslProtocol {
TlsV1_0,
TlsV1_1,
TlsV1_0 QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."),
TlsV1_1 QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."),
TlsV1_2,
AnyProtocol,
SecureProtocols,
TlsV1_0OrLater,
TlsV1_1OrLater,
TlsV1_0OrLater QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."),
TlsV1_1OrLater QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."),
TlsV1_2OrLater,
DtlsV1_0,
DtlsV1_0OrLater,
DtlsV1_0 QT_DEPRECATED_VERSION_X_6_3("Use DtlsV1_2OrLater instead."),
DtlsV1_0OrLater QT_DEPRECATED_VERSION_X_6_3("Use DtlsV1_2OrLater instead."),
DtlsV1_2,
DtlsV1_2OrLater,

View File

@ -107,7 +107,7 @@ const char QSslConfiguration::NextProtocolHttp1_1[] = "http/1.1";
change the settings in the related SSL connection. You must call
setSslConfiguration on a modified QSslConfiguration object to
achieve that. The following example illustrates how to change the
protocol to TLSv1_0 in a QSslSocket object:
protocol to TLSv1_2 in a QSslSocket object:
\snippet code/src_network_ssl_qsslconfiguration.cpp 0

View File

@ -2092,6 +2092,8 @@ bool QSslSocketPrivate::verifyProtocolSupported(const char *where)
// Should not be used when configuring QSslSocket.
protocolName = QLatin1String("UnknownProtocol");
Q_FALLTHROUGH();
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
case QSsl::DtlsV1_0:
case QSsl::DtlsV1_2:
case QSsl::DtlsV1_0OrLater:
@ -2100,6 +2102,7 @@ bool QSslSocketPrivate::verifyProtocolSupported(const char *where)
setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError,
QSslSocket::tr("Attempted to use an unsupported protocol."));
return false;
QT_WARNING_POP
default:
return true;
}

View File

@ -808,6 +808,8 @@ QSslCipher QTlsBackend::createCiphersuite(const QString &descriptionOneLine, int
QString protoString = descriptionList.at(1).toString();
ciph.d->protocolString = protoString;
ciph.d->protocol = QSsl::UnknownProtocol;
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
if (protoString == QLatin1String("TLSv1"))
ciph.d->protocol = QSsl::TlsV1_0;
else if (protoString == QLatin1String("TLSv1.1"))
@ -816,6 +818,7 @@ QSslCipher QTlsBackend::createCiphersuite(const QString &descriptionOneLine, int
ciph.d->protocol = QSsl::TlsV1_2;
else if (protoString == QLatin1String("TLSv1.3"))
ciph.d->protocol = QSsl::TlsV1_3;
QT_WARNING_POP
if (descriptionList.at(2).startsWith(QLatin1String("Kx=")))
ciph.d->keyExchangeMethod = descriptionList.at(2).mid(3).toString();

View File

@ -1421,9 +1421,12 @@ void QDtlsPrivateOpenSSL::fetchNegotiatedParameters()
// TLS 1.2, that's how it's set by OpenSSL (and that's what they are?).
switch (q_SSL_version(dtls.tlsConnection.data())) {
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
case DTLS1_VERSION:
sessionProtocol = QSsl::DtlsV1_0;
break;
QT_WARNING_POP
case DTLS1_2_VERSION:
sessionProtocol = QSsl::DtlsV1_2;
break;

View File

@ -102,13 +102,16 @@ long QSslContext::setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptio
{
long options;
switch (protocol) {
case QSsl::SecureProtocols:
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
case QSsl::TlsV1_0OrLater:
options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
break;
case QSsl::TlsV1_1OrLater:
options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1;
break;
QT_WARNING_POP
case QSsl::SecureProtocols:
case QSsl::TlsV1_2OrLater:
options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
break;
@ -363,8 +366,11 @@ void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mo
bool isDtls = false;
init_context:
switch (sslContext->sslConfiguration.protocol()) {
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
case QSsl::DtlsV1_0:
case QSsl::DtlsV1_0OrLater:
QT_WARNING_POP
case QSsl::DtlsV1_2:
case QSsl::DtlsV1_2OrLater:
#if QT_CONFIG(dtls)
@ -419,6 +425,8 @@ init_context:
long maxVersion = anyVersion;
switch (sslContext->sslConfiguration.protocol()) {
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
case QSsl::TlsV1_0:
minVersion = TLS1_VERSION;
maxVersion = TLS1_VERSION;
@ -427,6 +435,7 @@ init_context:
minVersion = TLS1_1_VERSION;
maxVersion = TLS1_1_VERSION;
break;
QT_WARNING_POP
case QSsl::TlsV1_2:
minVersion = TLS1_2_VERSION;
maxVersion = TLS1_2_VERSION;
@ -443,7 +452,8 @@ init_context:
break;
// Ranges:
case QSsl::AnyProtocol:
case QSsl::SecureProtocols:
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
case QSsl::TlsV1_0OrLater:
minVersion = TLS1_VERSION;
maxVersion = 0;
@ -452,10 +462,14 @@ init_context:
minVersion = TLS1_1_VERSION;
maxVersion = 0;
break;
QT_WARNING_POP
case QSsl::SecureProtocols:
case QSsl::TlsV1_2OrLater:
minVersion = TLS1_2_VERSION;
maxVersion = 0;
break;
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
case QSsl::DtlsV1_0:
minVersion = DTLS1_VERSION;
maxVersion = DTLS1_VERSION;
@ -464,6 +478,7 @@ init_context:
minVersion = DTLS1_VERSION;
maxVersion = DTLS_MAX_VERSION;
break;
QT_WARNING_POP
case QSsl::DtlsV1_2:
minVersion = DTLS1_2_VERSION;
maxVersion = DTLS1_2_VERSION;

View File

@ -1159,10 +1159,13 @@ QSsl::SslProtocol TlsCryptographOpenSSL::sessionProtocol() const
const int ver = q_SSL_version(ssl);
switch (ver) {
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
case 0x301:
return QSsl::TlsV1_0;
case 0x302:
return QSsl::TlsV1_1;
QT_WARNING_POP
case 0x303:
return QSsl::TlsV1_2;
case 0x304:

View File

@ -291,10 +291,13 @@ QList<QSsl::SslProtocol> QTlsBackendOpenSSL::supportedProtocols() const
protocols << QSsl::AnyProtocol;
protocols << QSsl::SecureProtocols;
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
protocols << QSsl::TlsV1_0;
protocols << QSsl::TlsV1_0OrLater;
protocols << QSsl::TlsV1_1;
protocols << QSsl::TlsV1_1OrLater;
QT_WARNING_POP
protocols << QSsl::TlsV1_2;
protocols << QSsl::TlsV1_2OrLater;
@ -304,8 +307,11 @@ QList<QSsl::SslProtocol> QTlsBackendOpenSSL::supportedProtocols() const
#endif // TLS1_3_VERSION
#if QT_CONFIG(dtls)
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
protocols << QSsl::DtlsV1_0;
protocols << QSsl::DtlsV1_0OrLater;
QT_WARNING_POP
protocols << QSsl::DtlsV1_2;
protocols << QSsl::DtlsV1_2OrLater;
#endif // dtls

View File

@ -176,8 +176,11 @@ QList<QSslCipher> defaultCiphers()
// @temp (I hope), stolen from qsslsocket_winrt.cpp
const QString protocolStrings[] = { QStringLiteral("TLSv1"), QStringLiteral("TLSv1.1"),
QStringLiteral("TLSv1.2"), QStringLiteral("TLSv1.3") };
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
const QSsl::SslProtocol protocols[] = { QSsl::TlsV1_0, QSsl::TlsV1_1,
QSsl::TlsV1_2, QSsl::TlsV1_3 };
QT_WARNING_POP
const int size = ARRAYSIZE(protocols);
static_assert(size == ARRAYSIZE(protocolStrings));
ciphers.reserve(size);
@ -264,10 +267,13 @@ QList<QSsl::SslProtocol> QSchannelBackend::supportedProtocols() const
protocols << QSsl::AnyProtocol;
protocols << QSsl::SecureProtocols;
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
protocols << QSsl::TlsV1_0;
protocols << QSsl::TlsV1_0OrLater;
protocols << QSsl::TlsV1_1;
protocols << QSsl::TlsV1_1OrLater;
QT_WARNING_POP
protocols << QSsl::TlsV1_2;
protocols << QSsl::TlsV1_2OrLater;
@ -430,9 +436,12 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol)
switch (protocol) {
case QSsl::UnknownProtocol:
return DWORD(-1);
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
case QSsl::DtlsV1_0:
case QSsl::DtlsV1_2:
case QSsl::DtlsV1_0OrLater:
QT_WARNING_POP
case QSsl::DtlsV1_2:
case QSsl::DtlsV1_2OrLater:
return DWORD(-1); // Not supported at the moment (@future)
case QSsl::AnyProtocol:
@ -440,12 +449,15 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol)
if (supportsTls13())
protocols |= SP_PROT_TLS1_3;
break;
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
case QSsl::TlsV1_0:
protocols = SP_PROT_TLS1_0;
break;
case QSsl::TlsV1_1:
protocols = SP_PROT_TLS1_1;
break;
QT_WARNING_POP
case QSsl::TlsV1_2:
protocols = SP_PROT_TLS1_2;
break;
@ -455,7 +467,8 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol)
else
protocols = DWORD(-1);
break;
case QSsl::SecureProtocols: // TLS v1.0 and later is currently considered secure
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
case QSsl::TlsV1_0OrLater:
// For the "OrLater" protocols we fall through from one to the next, adding all of them
// in ascending order
@ -464,6 +477,8 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol)
case QSsl::TlsV1_1OrLater:
protocols |= SP_PROT_TLS1_1;
Q_FALLTHROUGH();
QT_WARNING_POP
case QSsl::SecureProtocols: // TLS v1.2 and later is currently considered secure
case QSsl::TlsV1_2OrLater:
protocols |= SP_PROT_TLS1_2;
Q_FALLTHROUGH();
@ -504,8 +519,11 @@ QSsl::SslProtocol toQtSslProtocol(DWORD protocol)
return q_protocol; \
}
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
MAP_PROTOCOL(SP_PROT_TLS1_0, QSsl::TlsV1_0)
MAP_PROTOCOL(SP_PROT_TLS1_1, QSsl::TlsV1_1)
QT_WARNING_POP
MAP_PROTOCOL(SP_PROT_TLS1_2, QSsl::TlsV1_2)
MAP_PROTOCOL(SP_PROT_TLS1_3, QSsl::TlsV1_3)
#undef MAP_PROTOCOL

View File

@ -439,10 +439,13 @@ QSsl::SslProtocol TlsCryptographSecureTransport::sessionProtocol() const
}
switch (protocol) {
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
case kTLSProtocol1:
return QSsl::TlsV1_0;
case kTLSProtocol11:
return QSsl::TlsV1_1;
QT_WARNING_POP
case kTLSProtocol12:
return QSsl::TlsV1_2;
case kTLSProtocol13:
@ -922,6 +925,8 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
OSStatus err = errSecSuccess;
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
if (configuration.protocol() == QSsl::TlsV1_0) {
#ifdef QSSLSOCKET_DEBUG
qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.0";
@ -936,6 +941,7 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
err = SSLSetProtocolVersionMin(context, kTLSProtocol11);
if (err == errSecSuccess)
err = SSLSetProtocolVersionMax(context, kTLSProtocol11);
QT_WARNING_POP
} else if (configuration.protocol() == QSsl::TlsV1_2) {
#ifdef QSSLSOCKET_DEBUG
qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2";
@ -950,9 +956,11 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
err = SSLSetProtocolVersionMin(context, kTLSProtocol1);
} else if (configuration.protocol() == QSsl::SecureProtocols) {
#ifdef QSSLSOCKET_DEBUG
qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1 - TLSv1.2";
qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2";
#endif
err = SSLSetProtocolVersionMin(context, kTLSProtocol1);
err = SSLSetProtocolVersionMin(context, kTLSProtocol12);
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
} else if (configuration.protocol() == QSsl::TlsV1_0OrLater) {
#ifdef QSSLSOCKET_DEBUG
qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1 - TLSv1.2";
@ -963,6 +971,7 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.1 - TLSv1.2";
#endif
err = SSLSetProtocolVersionMin(context, kTLSProtocol11);
QT_WARNING_POP
} else if (configuration.protocol() == QSsl::TlsV1_2OrLater) {
#ifdef QSSLSOCKET_DEBUG
qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2";
@ -999,11 +1008,14 @@ bool TlsCryptographSecureTransport::verifySessionProtocol() const
if (configuration.protocol() == QSsl::AnyProtocol)
protocolOk = true;
else if (configuration.protocol() == QSsl::SecureProtocols)
protocolOk = (sessionProtocol() >= QSsl::TlsV1_0);
protocolOk = (sessionProtocol() >= QSsl::TlsV1_2);
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
else if (configuration.protocol() == QSsl::TlsV1_0OrLater)
protocolOk = (sessionProtocol() >= QSsl::TlsV1_0);
else if (configuration.protocol() == QSsl::TlsV1_1OrLater)
protocolOk = (sessionProtocol() >= QSsl::TlsV1_1);
QT_WARNING_POP
else if (configuration.protocol() == QSsl::TlsV1_2OrLater)
protocolOk = (sessionProtocol() >= QSsl::TlsV1_2);
else if (configuration.protocol() == QSsl::TlsV1_3OrLater)

View File

@ -294,10 +294,13 @@ QList<QSsl::SslProtocol> QSecureTransportBackend::supportedProtocols() const
protocols << QSsl::AnyProtocol;
protocols << QSsl::SecureProtocols;
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
protocols << QSsl::TlsV1_0;
protocols << QSsl::TlsV1_0OrLater;
protocols << QSsl::TlsV1_1;
protocols << QSsl::TlsV1_1OrLater;
QT_WARNING_POP
protocols << QSsl::TlsV1_2;
protocols << QSsl::TlsV1_2OrLater;

View File

@ -99,8 +99,11 @@ QDtlsBasePrivate::cookieGeneratorParameters() const
bool QDtlsBasePrivate::isDtlsProtocol(QSsl::SslProtocol protocol)
{
switch (protocol) {
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
case QSsl::DtlsV1_0:
case QSsl::DtlsV1_0OrLater:
QT_WARNING_POP
case QSsl::DtlsV1_2:
case QSsl::DtlsV1_2OrLater:
return true;

View File

@ -825,6 +825,13 @@ void tst_QSslSocket::simpleConnect()
return;
QSslSocket socket;
// Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above
// QTQAINFRA-4499
QSslConfiguration config = socket.sslConfiguration();
config.setProtocol(QSsl::TlsV1_0OrLater);
socket.setSslConfiguration(config);
QSignalSpy connectedSpy(&socket, SIGNAL(connected()));
QSignalSpy hostFoundSpy(&socket, SIGNAL(hostFound()));
QSignalSpy disconnectedSpy(&socket, SIGNAL(disconnected()));
@ -887,6 +894,12 @@ void tst_QSslSocket::simpleConnectWithIgnore()
QSignalSpy encryptedSpy(&socket, SIGNAL(encrypted()));
QSignalSpy sslErrorsSpy(&socket, SIGNAL(sslErrors(QList<QSslError>)));
// Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above
// QTQAINFRA-4499
QSslConfiguration config = socket.sslConfiguration();
config.setProtocol(QSsl::TlsV1_0OrLater);
socket.setSslConfiguration(config);
connect(&socket, SIGNAL(readyRead()), this, SLOT(exitLoop()));
connect(&socket, SIGNAL(encrypted()), this, SLOT(exitLoop()));
connect(&socket, SIGNAL(connected()), this, SLOT(exitLoop()));
@ -936,10 +949,12 @@ void tst_QSslSocket::sslErrors()
QFETCH(int, port);
QSslSocketPtr socket = newSocket();
if (isTestingSchannel) {
// Needs to be < 1.2 because of the old certificate and <= 1.0 because of the mail server
socket->setProtocol(QSsl::SslProtocol::TlsV1_0);
}
// Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above
// QTQAINFRA-4499
QSslConfiguration config = socket->sslConfiguration();
config.setProtocol(QSsl::TlsV1_0OrLater);
socket->setSslConfiguration(config);
QSignalSpy sslErrorsSpy(socket.data(), SIGNAL(sslErrors(QList<QSslError>)));
QSignalSpy peerVerifyErrorSpy(socket.data(), SIGNAL(peerVerifyError(QSslError)));
@ -1438,7 +1453,7 @@ public:
config(QSslConfiguration::defaultConfiguration()),
ignoreSslErrors(true),
peerVerifyMode(QSslSocket::AutoVerifyPeer),
protocol(QSsl::TlsV1_0),
protocol(QSsl::SecureProtocols),
m_keyFile(keyFile),
m_certFile(certFile),
m_interFile(interFile)
@ -1460,6 +1475,7 @@ signals:
void handshakeInterruptedOnError(const QSslError& rrror);
void gotAlert(QSsl::AlertLevel level, QSsl::AlertType type, const QString &message);
void alertSent(QSsl::AlertLevel level, QSsl::AlertType type, const QString &message);
void socketEncrypted(QSslSocket *);
protected:
void incomingConnection(qintptr socketDescriptor) override
@ -1477,6 +1493,7 @@ protected:
connect(socket, &QSslSocket::alertReceived, this, &SslServer::gotAlert);
connect(socket, &QSslSocket::alertSent, this, &SslServer::alertSent);
connect(socket, &QSslSocket::preSharedKeyAuthenticationRequired, this, &SslServer::preSharedKeyAuthenticationRequired);
connect(socket, &QSslSocket::encrypted, this, [this](){ emit socketEncrypted(socket); });
QFile file(m_keyFile);
QVERIFY(file.open(QIODevice::ReadOnly));
@ -1545,10 +1562,10 @@ void tst_QSslSocket::protocolServerSide_data()
QTest::newRow("any-any") << QSsl::AnyProtocol << QSsl::AnyProtocol << true;
QTest::newRow("secure-secure") << QSsl::SecureProtocols << QSsl::SecureProtocols << true;
QTest::newRow("tls1.0-secure") << QSsl::TlsV1_0 << QSsl::SecureProtocols << true;
QTest::newRow("tls1.0-secure") << QSsl::TlsV1_0 << QSsl::SecureProtocols << false;
QTest::newRow("tls1.0-any") << QSsl::TlsV1_0 << QSsl::AnyProtocol << true;
QTest::newRow("secure-tls1.0") << QSsl::SecureProtocols << QSsl::TlsV1_0 << true;
QTest::newRow("secure-tls1.0") << QSsl::SecureProtocols << QSsl::TlsV1_0 << false;
QTest::newRow("secure-any") << QSsl::SecureProtocols << QSsl::AnyProtocol << true;
QTest::newRow("tls1.0orlater-tls1.0") << QSsl::TlsV1_0OrLater << QSsl::TlsV1_0 << true;
@ -1646,6 +1663,7 @@ void tst_QSslSocket::serverCipherPreferences()
// First using the default (server preference)
{
SslServer server;
server.protocol = QSsl::TlsV1_0;
server.ciphers = {QSslCipher("AES128-SHA"), QSslCipher("AES256-SHA")};
QVERIFY(server.listen());
@ -1656,6 +1674,7 @@ void tst_QSslSocket::serverCipherPreferences()
socket = &client;
auto sslConfig = socket->sslConfiguration();
sslConfig.setProtocol(QSsl::TlsV1_0OrLater);
sslConfig.setCiphers({QSslCipher("AES256-SHA"), QSslCipher("AES128-SHA")});
socket->setSslConfiguration(sslConfig);
@ -1678,6 +1697,7 @@ void tst_QSslSocket::serverCipherPreferences()
QSslConfiguration config = QSslConfiguration::defaultConfiguration();
config.setSslOption(QSsl::SslOptionDisableServerCipherPreference, true);
server.config = config;
server.protocol = QSsl::TlsV1_0OrLater;
server.ciphers = {QSslCipher("AES128-SHA"), QSslCipher("AES256-SHA")};
QVERIFY(server.listen());
@ -1688,6 +1708,7 @@ void tst_QSslSocket::serverCipherPreferences()
socket = &client;
auto sslConfig = socket->sslConfiguration();
sslConfig.setProtocol(QSsl::TlsV1_0);
sslConfig.setCiphers({QSslCipher("AES256-SHA"), QSslCipher("AES128-SHA")});
socket->setSslConfiguration(sslConfig);
@ -1934,6 +1955,12 @@ void tst_QSslSocket::waitForConnectedEncryptedReadyRead()
QSslSocketPtr socket = newSocket();
this->socket = socket.data();
// Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above
// QTQAINFRA-4499
QSslConfiguration config = socket->sslConfiguration();
config.setProtocol(QSsl::TlsV1_0OrLater);
socket->setSslConfiguration(config);
connect(this->socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot()));
socket->connectToHostEncrypted(QtNetworkSettings::imapServerName(), 993);
@ -2212,8 +2239,17 @@ void tst_QSslSocket::spontaneousWrite()
receiver->startClientEncryption();
// SSL handshake:
connect(receiver, SIGNAL(encrypted()), SLOT(exitLoop()));
// Need to wait for both sides to emit encrypted as the ordering of which
// ones emits encrypted() changes depending on whether we use TLS 1.2 or 1.3
int waitFor = 2;
auto earlyQuitter = [&waitFor]() {
if (!--waitFor)
exitLoop();
};
connect(receiver, &QSslSocket::encrypted, this, earlyQuitter);
connect(sender, &QSslSocket::encrypted, this, earlyQuitter);
enterLoop(1);
QVERIFY(!timeout());
QVERIFY(sender->isEncrypted());
QVERIFY(receiver->isEncrypted());
@ -2256,9 +2292,21 @@ void tst_QSslSocket::setReadBufferSize()
receiver->ignoreSslErrors();
receiver->startClientEncryption();
// SSL handshake:
connect(receiver, SIGNAL(encrypted()), SLOT(exitLoop()));
// Need to wait for both sides to emit encrypted as the ordering of which
// ones emits encrypted() changes depending on whether we use TLS 1.2 or 1.3
int waitFor = 2;
auto earlyQuitter = [&waitFor]() {
if (!--waitFor)
exitLoop();
};
connect(receiver, &QSslSocket::encrypted, this, earlyQuitter);
connect(sender, &QSslSocket::encrypted, this, earlyQuitter);
enterLoop(1);
if (!sender->isEncrypted()) {
connect(sender, &QSslSocket::encrypted, this, &tst_QSslSocket::exitLoop);
enterLoop(1);
}
QVERIFY(!timeout());
QVERIFY(sender->isEncrypted());
QVERIFY(receiver->isEncrypted());
@ -3082,6 +3130,12 @@ void tst_QSslSocket::resume()
QSslSocket socket;
socket.setPauseMode(QAbstractSocket::PauseOnSslErrors);
// Set TLS 1.0 or above because the server doesn't support TLS 1.2 or above
// QTQAINFRA-4499
QSslConfiguration config = socket.sslConfiguration();
config.setProtocol(QSsl::TlsV1_0OrLater);
socket.setSslConfiguration(config);
QSignalSpy sslErrorSpy(&socket, SIGNAL(sslErrors(QList<QSslError>)));
QSignalSpy encryptedSpy(&socket, SIGNAL(encrypted()));
QSignalSpy errorSpy(&socket, SIGNAL(errorOccurred(QAbstractSocket::SocketError)));
@ -3414,6 +3468,7 @@ void tst_QSslSocket::dhServerCustomParamsNull()
SslServer server;
server.ciphers = {QSslCipher("DHE-RSA-AES256-SHA"), QSslCipher("DHE-DSS-AES256-SHA")};
server.protocol = QSsl::TlsV1_0;
QSslConfiguration cfg = server.config;
cfg.setDiffieHellmanParameters(QSslDiffieHellmanParameters());
@ -3425,6 +3480,9 @@ void tst_QSslSocket::dhServerCustomParamsNull()
QTimer::singleShot(5000, &loop, SLOT(quit()));
QSslSocket client;
QSslConfiguration config = client.sslConfiguration();
config.setProtocol(QSsl::TlsV1_0);
client.setSslConfiguration(config);
socket = &client;
connect(socket, SIGNAL(errorOccurred(QAbstractSocket::SocketError)), &loop, SLOT(quit()));
connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot()));
@ -3606,6 +3664,7 @@ void tst_QSslSocket::verifyClientCertificate()
}
SslServer server;
server.protocol = QSsl::TlsV1_0;
server.addCaCertificates = testDataDir + "certs/bogus-ca.crt";
server.ignoreSslErrors = false;
server.peerVerifyMode = peerVerifyMode;
@ -3619,6 +3678,9 @@ void tst_QSslSocket::verifyClientCertificate()
QSslSocket client;
client.setLocalCertificateChain(clientCerts);
client.setPrivateKey(clientKey);
QSslConfiguration config = client.sslConfiguration();
config.setProtocol(QSsl::TlsV1_0OrLater);
client.setSslConfiguration(config);
socket = &client;
connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot()));
@ -3696,11 +3758,19 @@ void tst_QSslSocket::readBufferMaxSize()
socket = client.data();
connect(socket, SIGNAL(errorOccurred(QAbstractSocket::SocketError)), &loop, SLOT(quit()));
connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot()));
connect(socket, SIGNAL(encrypted()), &loop, SLOT(quit()));
client->connectToHostEncrypted(QHostAddress(QHostAddress::LocalHost).toString(),
server.serverPort());
int waitFor = 2;
auto earlyQuitter = [&loop, &waitFor]() {
if (!--waitFor)
loop.exit();
};
connect(socket, &QSslSocket::encrypted, &loop, earlyQuitter);
connect(&server, &SslServer::socketEncrypted, &loop, earlyQuitter);
// Wait for 'encrypted' first:
QTimer::singleShot(5000, &loop, SLOT(quit()));
loop.exec();
@ -3786,7 +3856,17 @@ void tst_QSslSocket::allowedProtocolNegotiation()
QEventLoop loop;
QTimer::singleShot(5000, &loop, SLOT(quit()));
connect(&clientSocket, SIGNAL(encrypted()), &loop, SLOT(quit()));
// Need to wait for both sides to emit encrypted as the ordering of which
// ones emits encrypted() changes depending on whether we use TLS 1.2 or 1.3
int waitFor = 2;
auto earlyQuitter = [&loop, &waitFor]() {
if (!--waitFor)
loop.exit();
};
connect(&clientSocket, &QSslSocket::encrypted, &loop, earlyQuitter);
connect(server.socket, &QSslSocket::encrypted, &loop, earlyQuitter);
loop.exec();
QVERIFY(server.socket->sslConfiguration().nextNegotiatedProtocol() ==
@ -3852,7 +3932,7 @@ public:
config(QSslConfiguration::defaultConfiguration()),
ignoreSslErrors(true),
peerVerifyMode(QSslSocket::AutoVerifyPeer),
protocol(QSsl::TlsV1_0),
protocol(QSsl::TlsV1_2),
m_pskProvider()
{
m_pskProvider.m_server = true;
@ -4622,6 +4702,15 @@ void tst_QSslSocket::alertMissingCertificate()
runner.enterLoopMSecs(1000);
if (clientSocket.isEncrypted()) {
// When using TLS 1.3 the client side thinks it is connected very
// quickly, before the server has finished processing. So wait for the
// inevitable disconnect.
QCOMPARE(clientSocket.sessionProtocol(), QSsl::TlsV1_3);
connect(&clientSocket, &QSslSocket::disconnected, &runner, &QTestEventLoop::exitLoop);
runner.enterLoopMSecs(10000);
}
QVERIFY(serverSpy.count() > 0);
QVERIFY(clientSpy.count() > 0);
QVERIFY(server.socket && !server.socket->isEncrypted());