Discussed with Peter and agreed that it's a slightly better fit there.
Change-Id: If8db777336e2273670a23d75d8542b30c07e0d7b
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Add support for loading certificates and keys from PKCS#12 bundles
(also known as pfx files).
Task-number: QTBUG-1565
[ChangeLog][QtNetwork][QSslSocket] Support for loading PKCS#12
bundles was added. These are often used to transport keys and
certificates conveniently, particularly when making use of
client certificates.
Change-Id: Idaeb2cb4dac4b19881a5c99c7c0a7eea00c2b207
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
Change-Id: I92fa083665509932b75ff1037904a6f78a950fd6
Reviewed-by: Jeremy Lainé <jeremy.laine@m4x.org>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Change-Id: Ife5b7206fd3d7af57cfca3c0f28f56bb53ede7a7
Reviewed-by: Jeremy Lainé <jeremy.laine@m4x.org>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Change-Id: I2912dcca77270582f6e989b8b3fb72b82f6f70d6
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Despite supporting DH and ECDH key exchange as a client, Qt did not provide
any default parameters which prevented them being used as a server. A
future change should allow the user to control the parameters used, but
these defaults should be okay for most users.
[ChangeLog][Important Behavior Changes] Support for DH and ECDH key exchange
cipher suites when acting as an SSL server has been made possible. This
change means the you can now implement servers that offer forward-secrecy
using Qt.
Task-number: QTBUG-20666
Change-Id: I469163900e4313da9d2d0c3e1e5e47ef46320b17
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Output the SSL library version, output socket error string on connection
failure consistently, silence numerous warnings about QIODevice not
being open in tst_QSslSocket::constructing.
Change-Id: Ia23d42de5b2daca55b2f6f50af025d61e99c52a0
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Any cipher that is < 128 bits is excluded from the default SSL
configuration. These ciphers are still included in the list
of availableCiphers() and can be used by applications if required.
Calling QSslSocket::setDefaultCiphers(QSslSocket::availableCiphers())
will restore the old behavior.
Note that in doing so I spotted that calling defaultCiphers() before
doing other actions with SSL had an existing bug that I've addressed
as part of the change.
[ChangeLog][Important Behavior Changes] The default set of
ciphers used by QSslSocket has been changed to exclude ciphers that are
using key lengths smaller than 128 bits. These ciphers are still available
and can be enabled by applications if required.
Change-Id: If2241dda67b624e5febf788efa1369f38c6b1dba
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Qt since approximately 4.4 has set the verify callback on both the SSL
store and the SSL context. Only the latter is actually needed. This is
normally not a problem, but openssl prior to 1.0.2 uses the verify
code to find the intermediate certificates for any local certificate
that has been set which can lead to verification errors for the local
certificate to be emitted.
Task-number: QTBUG-33228
Task-number: QTBUG-7200
Task-number: QTBUG-24234
Change-Id: Ie4115e7f7faa1267ea9b807c01b1ed6604c4a16c
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
... because it was used to operate a man-in-the-middle proxy.
Task-number: QTBUG-35474
Change-Id: Ic7f19708b278b866e4f06533cbd84e0ff43357e9
Reviewed-by: Richard J. Moore <rich@kde.org>
... but rather throw an error, so the HTTP layer can recover from a SSL
shutdown gracefully. In case the other side sent us a shutdown, we should
not send one as well, as it results in an error.
Change-Id: Ie7a56cf3008b6ead912aade18dbec67846e2a87e
Reviewed-by: Richard J. Moore <rich@kde.org>
The connection to qt-project.org seems to be the one that causes this
particular test case to fail.
Task-number: QTBUG-29941
Change-Id: Ie5e430646997e86e3acb04132cd90a1773a091da
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Remove all trailing whitespace from the following list of files:
*.cpp *.h *.conf *.qdoc *.pro *.pri *.mm *.rc *.pl *.qps *.xpm *.txt *README
excluding 3rdparty, test-data and auto generated code.
Note A): the only non 3rdparty c++-files that still
have trailing whitespace after this change are:
* src/corelib/codecs/cp949codetbl_p.h
* src/corelib/codecs/qjpunicode.cpp
* src/corelib/codecs/qbig5codec.cpp
* src/corelib/xml/qxmlstream_p.h
* src/tools/qdoc/qmlparser/qqmljsgrammar.cpp
* src/tools/uic/ui4.cpp
* tests/auto/other/qtokenautomaton/tokenizers/*
* tests/benchmarks/corelib/tools/qstring/data.cpp
* util/lexgen/tokenizer.cpp
Note B): in about 30 files some overlapping 'leading tab' and
'TAB character in non-leading whitespace' issues have been fixed
to make the sanity bot happy. Plus some general ws-fixes here
and there as asked for during review.
Change-Id: Ia713113c34d82442d6ce4d93d8b1cf545075d11d
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
It is flakey and often blocks integration.
Task-number: QTBUG-29730
Change-Id: I8acfc243ec6a6782b7f7d78fc27827f3fdc1ce52
Reviewed-by: Stephen Kelly <stephen.kelly@kdab.com>
Add intermediate certificates to our server sockets, and to our client
certs.
Change-Id: Ib5aa575473f9e84f337bebe35099506dd7d7e2ba
Task-Number: QTBUG-19825
Task-Number: QTBUG-13281
Reviewed-by: Peter Hartmann <phartmann@rim.com>
Instead of storing a single QSslCertificate for a the local cert, store
a list of them. This will allow us to handle server sockets that use a
certificate that is not issued directly from the CA root in future.
Change-Id: I9a36b9a99daa9c0bdd17f61b4ce1a7da746f2e96
Reviewed-by: Peter Hartmann <phartmann@rim.com>
It's flakey and is blocking integration. Tracked in QTBUG-29730.
Change-Id: Ia5b8f952314bf2e1aa6dbb5c5c0a97e32e68d0f6
Reviewed-by: Tor Arne Vestbø <tor.arne.vestbo@digia.com>
Do not include qsslsocket_p.h unless SSL is present.
Change-Id: I7e56b7758729907892d85f97d5a9d3ccaf7a3314
Reviewed-by: Peter Hartmann <phartmann@rim.com>
DER certificates should not be opened as text files, so we
only pass the QIODevice::Text flag when the format is
QSsl::Pem.
Change-Id: I4bad98023c397b967d5beeec0aaa6c414e06fd9c
Reviewed-by: Richard J. Moore <rich@kde.org>
make sure we keep track of when we can load root certs and when we
cannot (we cannot when the developer set the certs explicitly). This is
implemented the same way for QSslSocket already, and needs to be
duplicated because we have 2 methods for setting CA certificates: one in
QSslSocket and one in QSslConfiguration.
In addition, adapt the auto test which checks whether setting a default
QSslConfiguration works: There is no way to set on demand loading
through the API, so it should be enabled by default.
Task-number: QTBUG-29103
Change-Id: I5146128aaa385dfcc0ad1e0ef81a92d9350ec5f2
Reviewed-by: Richard J. Moore <rich@kde.org>
Those certificates have erroneously set the CA attribute to true,
meaning everybody in possesion of their keys can issue certificates on
their own.
Task-number: QTBUG-28937
Change-Id: Iff351e590ad3e6ab802e6fa1d65a9a9a9f7683de
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
trolltech.com seems to be shut down already
Change-Id: Ic90ce01aeb51b6f154b9bbf4762c365a398c9e3d
Reviewed-by: Simo Fält <simo.falt@digia.com>
Reviewed-by: Stephen Kelly <stephen.kelly@kdab.com>
The QSslSocket one is both wrong and redundant as there is a
Q_DECLARE_METATYPE for it already.
Change-Id: I63d065abfb3d0e3d82a8b1f29a6752b7676db847
Reviewed-by: Jędrzej Nowacki <jedrzej.nowacki@digia.com>
Different OpenSSL versions produce slightly different output when
dumping a certificate.
Change-Id: Ida98b24422302e287641be074d6740ca292cf203
Reviewed-by: Richard J. Moore <rich@kde.org>
Change copyrights and license headers from Nokia to Digia
Change-Id: If1cc974286d29fd01ec6c19dd4719a67f4c3f00e
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
Reviewed-by: Sergio Ahumada <sergio.ahumada@digia.com>
Disable SSL compression by default since this appears to be the a likely
cause of the currently hyped CRIME attack.
Change-Id: I515fcc46f5199acf938e9e880a4345f2d405b2a3
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Peter Hartmann <phartmann@rim.com>