1. Add a new verification callback. This gives an option
to report errors directly from this callback (by emitting
handshakeInterruptedOnError()). This allows an application
to explain to its peer why the handshake was interrupted (by
sending a corresponding alert message).
2. This also means we want to notice such alerts (in Qt,
from the application's point of view, they are mostly
informational only, no interaction is required). So we
also introduce a new 'info callback', that can notice alert
messages read or written. We also introduce two new enums
describing the level and type of an alert message. QSslSocket
gets three new signals (for incoming/outgoing alerts and
verification errors found early).
3. In case we requested a certificate, but the peer provided
none, we would previously abruptly close the connection without
a proper alert message (and such a situation is not handled
by any verification callbacks, since there is no certificate(s)
to verify essentially). So we now introduce a new verification
option that maps to what OpenSSL calls 'SSL_VERIFY_FAIL_IF_NO_PEER_CERT'.
This way, the proper alert will be generated.
Fixes: QTBUG-68419
Change-Id: I5d1e9298b4040a2d4f867f5b1a3567a2253927b8
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
This will blacklist this test for ci. Currently blocking enabling tests
for MSVC2019
Task-number: QTBUG-65667
Task-number: QTQAINFRA-2875
Change-Id: I7198490b1529ce2f4409bfa7399031dad7644a06
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Heikki Halmet <heikki.halmet@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Instead of OID as string, OpenSSL returns a human-readable name.
No need to fail then, use such a name in QVERIFY if OID not found.
Fixes: QTBUG-80329
Change-Id: I4392fc9f37367f7c34c05d172db015b44e2a8497
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Also, change the notion of 'unsupported protocol' for QSslSocket,
previously it was SslV2 and SslV3, now instead it's all versions
of DTLS and UnknownProtocol:
- makes no sense at all to connect using TCP socket and then
suddenly start using DTLS_client/server_method
- UnknownProtocol is not to be set in a configuration,
unknown means that some ciphersuite's protocol version
cannot be established.
- 'disabledProtocols' auto-test becomes 'unsupportedProtocols'
and tests that QSslSocket fails to start encryption if the
protocol version is wrong.
Handling these enumerators (SslV2 and SslV2) as errors
not needed anymore. Removed from QSslContext and our
existing backends (qsslsocket_whatever).
TlsV1SslV3 enumerator is not making any sense at all (previously
was [SSL v3, TLS 1.0], then became "the same as TLS v. 1.0", but
now this name is very confusing. Removed.
Task-number: QTBUG-75638
Task-number: QTBUG-76501
Change-Id: I2781ba1c3051a7791b476266d4561d956948974a
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
This was used to support QFlags f = 0 initialization, but with 0 used
as a pointer literal now considered bad form, it had been changed many
places to QFlags f = nullptr, which is meaningless and confusing.
Change-Id: I4bc592151c255dc5cab1a232615caecc520f02e8
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
OpenSSL 1.0.2 will stop receiving all support at the end
of 2019. Qt 5.15 is our next LTS thus makes sense remove
OpenSSL 1.0.2 support there. This also allows us quite
a significant cleanup of an old heavily if-defed code
and all 'pre11' suffixed source files.
[ChangeLog][QtNetwork][SSL] Removed OpenSSL 1.0.x support, now 1.1.x is required
Change-Id: I70c70c56cbd8aeff793afe793335696d1b1b7408
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
This is almost 100% source compatible with Qt 5. Exceptions are
* Stability of references for large or non movable types
* taking a PMF for types that are now overloaded with r-value references
in QVector
* The missing prepend optimization in QVector (that is still planned
to come for Qt 6)
Change-Id: I96d44553304dd623def9c70d6fea8fa2fb0373b0
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
If a transfer timeout is set for QNetworkRequest, downloads
and uploads are aborted if the timeout expires and bytes
haven't been transmitted in either direction.
Task-number: QTBUG-3443
Change-Id: I702d223d673f0c6612343dc9d053815acfcb61b8
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
And add a test for it so it can no longer happen in any current or
future implementation.
Change-Id: I3214aa90595e291b1e1c66befe185cfe1ea7bc6b
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
The test fails because the server (reasonably) sends a https redirect.
Let's not rely on external servers serving http indefinitely.
Fixes: QTBUG-71953
Change-Id: I20937b2c6f268519636349bae8c99c1afe64fcf9
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
As it was superseded by HTTP/2. Bye, Speedy. Since it's Qt 6,
we also fix the attribute's enumerator to fit our coding
convention with HTTP2AllowedAttribute becoming Http2AllowedAttribute,
and the same for HTTP2WasUsedAttribute.
tst_qnetworkreply in 'benchmark' directory of qtbase/tests
was updated - we have the logic they tested in preConnectEncrypted
in tst_http2 now.
Manual qnetworkreply test was updated (instead of SPDY in NPN failure
we can use H2, the second test was deleted - again, auto-tested in
tst_http2).
Change-Id: I559c140c333ddf72664911c6e275b1d0d2b980a9
Task-number: QTBUG-78255
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Following the deprecation of add[Default]CaCertificate[s] let's update
the uses of it. While we're doing this, let's also use QSslConfiguration
more in some places where it makes sense.
Change-Id: I2c9e7c73fee8a405492410378f2babe67d3a3f25
Reviewed-by: Jesus Fernandez <jsfdez@gmail.com>
The requirement to separate debug and release DLLs on Windows stems from
the Visual Studio C run-time library appearing in two different variants
(debug and release) and not mixing well. It's possible to perform builds
without optimzations and with debug symbols while linking against the
release version of the C run-time, but at the same time the debug
version of the run-time brings other developer visible advantages.
MinGW on the other hand does not have this distinction, does not ship
with separate DLLS and does also not require the VS C runtime library.
Therefore we do not need this separation for MinGW, which means that our
packages can be reduced in size and application developers wishing to
debug their applications do not have to use debug builds of the Qt
libraries or run into Qt internal debug code.
Task-number: QTBUG-78445
Change-Id: Idf588606091298dc44262c4c89e689df18d34747
Reviewed-by: Cristian Adam <cristian.adam@qt.io>
Reviewed-by: Jörg Bornemann <joerg.bornemann@qt.io>
If the domain passed down is an actual TLD that's the subject of a *
rule, e.g. "ck" subject to *.ck, then we were finding no dot in it and
concluding that it couldn't be the subject of a * rule.
Added a test for the specific .ck case and commented on where we could
get some canonical test data that I tripped over while researching
this. Cross-reference the cookie-jar test from the QUrl test, too.
Fixes: QTBUG-78097
Change-Id: Id858a9dae22e6b306a68df3fc199e0160f537159
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
The minimum supported version is Windows 7. Remove
QOperatingSystemVersion::WindowsVista added by
b0cd007335 and replace with "true"
wherever it was used.
Change-Id: I08c0208467b655a921b6773f77d8bc099be69031
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
I was observing rare crashes on my mac, where I was using SecureTransport.
This would imply both the client (the test) and the server were working
in h2c mode. But this is against the test's logic - the first request
will be HTTP/1.1 (and upgrading protocol) and I wanted to send 3 HTTP/2
requests instead.
Fixes: QTBUG-77476
Change-Id: I048ca242e2096ca36dd112277807d1fee530150c
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
And send it in our 'SETTINGS' frame. Add an auto-test
for this and (as a bonus) - fix a bug accidentally
introduced by the previous change.
Task-number: QTBUG-77412
Change-Id: I4277ff47e8d8d3b6b8666fbcd7dc73c827f349c0
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Similar to TLS configuration that we can use on QNetworkRequest,
we can configure different options in our HTTP/2 handling by
providing QNetworkAccessManager with h2 configuration. Previously,
it was only possible internally in our auto-test - a hack with
QObject's properties and a private class. Now it's time to provide
a public API for this.
[ChangeLog][QtNetwork][QNetworkRequest] Add an ability to configure HTTP/2 protocol
Change-Id: I80266a74f6dcdfabb7fc05ed1dce17897bcda886
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
This patch was generated with tooling from patchset 31 of
https://codereview.qt-project.org/c/qt/qtqa/+/267034 in interactive
mode. General platform names were chosen if greater than 60% of the
currently active platforms of a given type in COIN recently failed.
Change-Id: Ia4bde7f0ec422bbb727dc9d7151295159094f146
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
some assumptions were incorrect: our test server immediately sends
its SETTINGS frame, as a result we have to reply with client preface +
SETTINGS(ACK). So QVERIFY(!prefaceOK) was wrong from the beginning and
was only passing by pure luck.
Change-Id: Ie43f0d4ac41deb0e5339badaae6149a9b2f9d9b3
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
One of the tests above was unsetting a variable that enforces
the use of a temporary keychain. We have to set it back, otherwise
the test is failing. What surprises me though - why I had this
problem only locally and not on CI? Apparently, SecureTransport
is not covered by our configurations ...
Change-Id: I0ff1e3e304632869391ed61213c245b949d8c778
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
This change removes the leftovers form other cleanup commits.
Task-number: QTBUG-76491
Change-Id: I61440f87c5a280f9666b78e19aac4d8ac603767e
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Reviewed-by: Alex Blasche <alexander.blasche@qt.io>
Passes locally, and there is no reason why it shoulnd't. Use IPv6
addresses for Google and Cloudflare DNS servers, and as with the IPv4
tests, rely on Python and (as a fallback) nslookup to produce the
reference.
Change-Id: I584f8ae9bc89c66a1f59d7b1e7493d0ed8033e8a
Fixes: QTBUG-22287
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>