Add intermediate certificates to our server sockets, and to our client
certs.
Change-Id: Ib5aa575473f9e84f337bebe35099506dd7d7e2ba
Task-Number: QTBUG-19825
Task-Number: QTBUG-13281
Reviewed-by: Peter Hartmann <phartmann@rim.com>
Instead of storing a single QSslCertificate for a the local cert, store
a list of them. This will allow us to handle server sockets that use a
certificate that is not issued directly from the CA root in future.
Change-Id: I9a36b9a99daa9c0bdd17f61b4ce1a7da746f2e96
Reviewed-by: Peter Hartmann <phartmann@rim.com>
It's flakey and is blocking integration. Tracked in QTBUG-29730.
Change-Id: Ia5b8f952314bf2e1aa6dbb5c5c0a97e32e68d0f6
Reviewed-by: Tor Arne Vestbø <tor.arne.vestbo@digia.com>
Do not include qsslsocket_p.h unless SSL is present.
Change-Id: I7e56b7758729907892d85f97d5a9d3ccaf7a3314
Reviewed-by: Peter Hartmann <phartmann@rim.com>
DER certificates should not be opened as text files, so we
only pass the QIODevice::Text flag when the format is
QSsl::Pem.
Change-Id: I4bad98023c397b967d5beeec0aaa6c414e06fd9c
Reviewed-by: Richard J. Moore <rich@kde.org>
make sure we keep track of when we can load root certs and when we
cannot (we cannot when the developer set the certs explicitly). This is
implemented the same way for QSslSocket already, and needs to be
duplicated because we have 2 methods for setting CA certificates: one in
QSslSocket and one in QSslConfiguration.
In addition, adapt the auto test which checks whether setting a default
QSslConfiguration works: There is no way to set on demand loading
through the API, so it should be enabled by default.
Task-number: QTBUG-29103
Change-Id: I5146128aaa385dfcc0ad1e0ef81a92d9350ec5f2
Reviewed-by: Richard J. Moore <rich@kde.org>
Those certificates have erroneously set the CA attribute to true,
meaning everybody in possesion of their keys can issue certificates on
their own.
Task-number: QTBUG-28937
Change-Id: Iff351e590ad3e6ab802e6fa1d65a9a9a9f7683de
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
trolltech.com seems to be shut down already
Change-Id: Ic90ce01aeb51b6f154b9bbf4762c365a398c9e3d
Reviewed-by: Simo Fält <simo.falt@digia.com>
Reviewed-by: Stephen Kelly <stephen.kelly@kdab.com>
The QSslSocket one is both wrong and redundant as there is a
Q_DECLARE_METATYPE for it already.
Change-Id: I63d065abfb3d0e3d82a8b1f29a6752b7676db847
Reviewed-by: Jędrzej Nowacki <jedrzej.nowacki@digia.com>
Different OpenSSL versions produce slightly different output when
dumping a certificate.
Change-Id: Ida98b24422302e287641be074d6740ca292cf203
Reviewed-by: Richard J. Moore <rich@kde.org>
Change copyrights and license headers from Nokia to Digia
Change-Id: If1cc974286d29fd01ec6c19dd4719a67f4c3f00e
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
Reviewed-by: Sergio Ahumada <sergio.ahumada@digia.com>
Disable SSL compression by default since this appears to be the a likely
cause of the currently hyped CRIME attack.
Change-Id: I515fcc46f5199acf938e9e880a4345f2d405b2a3
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Peter Hartmann <phartmann@rim.com>
Add SslProtocol enums TlsV1_1 and TlsV1_2 and use the appropriate OpenSSL
methods when they're selected (TLSv1_1_client_method, TLSv1_2_client_method,
TLSv1_1_server_method and TLSv1_2_server_method). This allows us to
explicitly use TLS 1.1 or 1.2.
Task-number: QTBUG-26866
Change-Id: I159da548546fa746c20e9e96bc0e5b785e4e761b
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Qt 5.0 beta requires changing the default to the 5.0 API, disabling
the deprecated code. However, tests should test (and often do) the
compatibility API too, so turn it back on.
Task-number: QTBUG-25053
Change-Id: I8129c3ef3cb58541c95a32d083850d9e7f768927
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
Reviewed-by: Olivier Goffart <ogoffart@woboq.com>
Using the nullary version has the advantage that multiple calls
during a program run are much more efficient, since an inlined
atomic is used to store the result. It also ensures that
Q_DECLARE_METATYPE(T) has been used, whereas qRegisterMetaType<T>("T")
will happily register anything. So I've added the macro where it
was missing, or moved it to a central place when it existed
hidden.
In tst_qnetworkreply, this became a bit tricky, because a private
header is conditionally included, so moved the Q_DECLARE_METATYPE()
into a conditional section, too.
Change-Id: I71484523e4277f4697b7d4b2ddc3505375162727
Reviewed-by: Stephen Kelly <stephen.kelly@kdab.com>
The reqExp used to handle wildcards in the path was broken. So we
always searched the working directory and not the specified path.
Autotest where passing because of a hack used for Windows paths
where we removed the first two chars in the path string.
This fix will not use nativeSeparators thus removing the Windows hack
and fix the regExp to match wildcard chars.
Task-number: QTBUG-23573
Change-Id: I56fadbb67f25b8ce9c0f17cb6232e0bdb9148b1c
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
This test had been XFAILing since August 2011, but recently started to
XPASS, possibly due to changes in the SSL setup on the tested host
(qt.nokia.com).
Removed QEXPECT_FAIL and replaced qt.nokia.com with
codereview.qt-project.org as a host expected to have working SSL. (If
SSL on the latter were broken, it would immediately be detected by
any attempts at git over HTTPS.)
SSL setup can be verified as working by:
openssl s_client -CApath /etc/ssl/certs \
-connect codereview.qt-project.org:443 </dev/null
Task-number: QTBUG-20983
Change-Id: I9b4146da6545ab4115d6308044b1d242dd52b7f9
Reviewed-by: Kalle Lehtonen <kalle.ju.lehtonen@nokia.com>
We'd like to decrease the default timeout for tests in the Qt Project CI
so that we waste less time waiting for hanging tests.
Tests which genuinely take a long time to run, such as these, should
have their timeout explicitly set in their .pro file.
Change-Id: I4fe6249e9efa764b230251d73a1115c24411e168
Reviewed-by: Toby Tomkins <toby.tomkins@nokia.com>
Reviewed-by: Kalle Lehtonen <kalle.ju.lehtonen@nokia.com>
These tests have passed a parallel stress test on all three of Linux,
Mac, Windows. Mark them with CONFIG+=parallel_test to allow CI to run
them in parallel, saving time.
Change-Id: I19fd333c3c645a67374ca998f6c8530dd236b0f8
Reviewed-by: Toby Tomkins <toby.tomkins@nokia.com>
Change-Id: I5039e011f3c9b44ed1887424f11e4e146c3eb07f
Reviewed-by: Martin Petersson <Martin.Petersson@nokia.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
A couple of people reviewing the toText() method (which is new in 5.0)
have said that since the string returned is human readable it should
be a QString not a QByteArray. This change follows their advice.
Change-Id: Ibade9a24870805f7fbe2d299abeb9c6e964f0cf4
Reviewed-by: Girish Ramakrishnan <girish.1.ramakrishnan@nokia.com>
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
Because SSL2 is disabled in ubuntu's openssl binaries, the SSL
connection is expected to succeed rather than fail when the server
side is using SSL3/TLS1.0.
Used the OPENSSL_NO_SSL2 macro to decide this.
Change-Id: I2c35aa5aa0c9432ae78000c81f70086bdc31843d
Reviewed-by: Richard J. Moore <rich@kde.org>
This operation should be a no-op anyway, since at this point in time,
the fromAscii and toAscii functions simply call their fromLatin1 and
toLatin1 counterparts.
Task-number: QTBUG-21872
Change-Id: I94cc301ea75cc689bcb6e2d417120cf14e36808d
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Although we created an enum for pause modes to make 5.x binary
compatible with 5.0, the enum value is not well named.
In 5.1, we propose to add PauseOnProxyAuthentication to the enum.
PauseOnNotify is not clear what it means, while PauseOnSslErrors is.
Any new notification in a minor release would need a new enum value
otherwise applications would get pauses they did not expect.
Task-number: QTBUG-19032
Change-Id: I4dbb7467663b37ca7f0551d24a31bc013968bedc
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
qVariantValue and qVariantCanConvert are Compatibility members, while in
Qt4.8 they are marked as Qt 3 Support Members.
qVariantFromValue and qVariantSetValue are Obsolete members.
Change-Id: Ie8505cad1e0950e40c6f6710fde9f6fb2ac670fd
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@nokia.com>
These tests have been passing consistently since they started running
on Windows in CI.
Change-Id: I4505497afc477a7f4fbda0acc29987d0d0cf220a
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
The test has a single stable failure on both of these platforms. Mark
the failure with QEXPECT_FAIL (that was already the case on Ubuntu
11.10) and re-enable the test.
Note also the elimination of duplicate bug numbers.
Task-number: QTBUG-24234
Change-Id: Ica11e7d1f3cd9487647127984fef7c75e0e764fe
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Switch on most of the tests (all but the bearer tests), marking the two
known failures as insignificant tests.
Change-Id: I17f228a938de1a23eddf897f494bfa4e54338dae
Reviewed-by: Sergio Ahumada <sergio.ahumada@nokia.com>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Calling peek() for qsslsocket caused socket data to be copied into
qiodevices buffer and therefore make it unaccessible in qsslsocket.
Cherry picked form 4.8-branch & modified to Qt5 API changes
(int -> qintptr)
Original commits:
commit 621f18955082fc73471e75d1f8c35c2dcd4befeb
Author: Shane Kearns <ext-shane.2.kearns@nokia.com>
commit 68b1d5c17aa38d5921bdade2b0e0cb67c6c90513
Author: Kalle Viironen <kalle.viironen@digia.com>
Task-number: QTBUG-18498
Change-Id: I6be4b19baec2f3197537f5e7b61432040ec84ad2
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
QSharedPointer is about to become final.
Instead of inheriting from it to add implicit
conversions to and from QSslSocket*, make
QSslSocketPtr a typedef, and make the
conversions explicit.
Change-Id: I4eebb262ab5aef348f4d676f9e839325d4ed13da
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
This is unfortunately still "most of them", because of QTBUG-24451
however some of the unit tests are still possible to test stably.
Also skipped test cases which would hang forever due to QTBUG-24451.
Bearer tests are not run, because they pass when test machine has no
wireless LAN, but fail or hang if it does (QTBUG-24503)
Change-Id: Icf99d45707102d2ef9219ed0b5ad521605716219
Reviewed-by: Sergio Ahumada <sergio.ahumada@nokia.com>
Reviewed-by: Rohan McGovern <rohan.mcgovern@nokia.com>
QSslCertificate can be copied around into multiple threads,
without detaching. For example, the https worker threads inside
QNetworkAccessManager.
There are const methods, which lazily initialise members of
the private class without detaching (i.e. caching results of
expensive function calls)
These functions now lock the d pointer using QMutexPool to
avoid concurrency related crashes.
autotest crashes 20% of the time in release builds without
the fix, passes 100 times in a row with the fix.
Task-number: QTBUG-20452
Change-Id: I64a01af8159216f2dd6215a08669890f6c029ca8
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Change the ifdefs in our own code (except openssl backend) to use the
new configure flag.
Change-Id: I8774734771c66b22164b5fae8fdb27814ac3df7b
Reviewed-by: Richard J. Moore <rich@kde.org>
- Changed to use TESTDATA and QFINDTESTDATA instead of SRCDIR
Change-Id: I30bf175c2c9044e1f8556260a032467ca0dfc09f
Reviewed-by: Rohan McGovern <rohan.mcgovern@nokia.com>
Reviewed-by: Jason McDonald <jason.mcdonald@nokia.com>
- Changed to use TESTDATA and QFINDTESTDATA instead of SRCDIR
Change-Id: I1957ef287ba2f337b5e0b2c6245d872eacb6316f
Reviewed-by: Jason McDonald <jason.mcdonald@nokia.com>
Reviewed-by: Rohan McGovern <rohan.mcgovern@nokia.com>
Marked two tests insignificant due to failures, these need to be
fixed later and then re-enabled:
- tst_qnetworkreply
- tst_qsslsocket
Task-number: QTBUG-24203
Change-Id: I9647833bf15fe5a340d7ef59e1dcb007a92677dc
Reviewed-by: Sergio Ahumada <sergio.ahumada@nokia.com>
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@nokia.com>
This file was removed in commit ba9302b8a9.
Commit 8fad23f326 removed openssl.pri from
src/network/ssl/ssl.pri, but not from the qsslsocket autotest.
Change-Id: Ic1a576ee7f0ee3d68471121ba636b94ce7bae455
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Open the comparison file as text mode, so that it does not differ from
the dumped certificate in CRLF vs LF line endings.
Change-Id: I54d6ea6e37044059e89e762435657ebf5fa6cb39
Reviewed-by: Richard J. Moore <rich@kde.org>
This has been broken for months, but invisible because the code causing
the link error is unreachable (due to QSKIP). So the link error only
occurs in debug builds with -O0.
Change-Id: I6093a7803bedf37bfc8c2d9ff0b28b2309b57959
Reviewed-by: Richard J. Moore <rich@kde.org>