This is a source-incompatible change.
TlsV1 is ambiguous; what is actually meant is TLS version 1.0. There are
also TLS versions 1.1 and 1.2; we might want to add options for these
once OpenSSL supports them (apparently they will be with OpenSSL version
1.0.1).
Change-Id: I940d020b181b5fa528788ef0c3c47e8ef873796a
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
This commit adds the ability to perform legacy SSL renegotiation as
a fallback via QSsl::SslOptions. This is something that used to work,
but has been disabled by default in newer versions of openssl. The
need for this has been reported by users (eg. in QTBUG-14983).
Change-Id: I5b80f3ffd07e0c5faddc469f6a8f857bac5740f7
Reviewed-by: Corentin Chary <corentin.chary@gmail.com>
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
In Qt 4.x the serial number is reported by a mixture of the hex value
and the number, The hex is what is used by other tools, and we should do
the same.
Change-Id: Ia0361d43fb5b920d053c95e932e0c8a012436e5e
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
that server was found out not to support HTTP pipelining.
tested manually; for more information see the task.
Change-Id: I9120e8be1a9a05f39f99752d6426c92fa3d093f2
(cherry picked from commit ec6d7694f72498d1b156bb0ae8d305e01931f7b2)
Reviewed-by: Markus Goetz
Task-number: QTBUG-21369
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
removes several files and cleans up the code, removing all Symbian
specific #ifdef's etc.
Change-Id: Ie457e54cb4b3a992f251383320d47822259c38f1
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
Currently isValid wrongly gives the impression it checks a certificate
for validity - it doesn't. It merely checks if the certificate dates
are valid and if the certificate is blacklisted. Since it's already
easy for users to check the dates, let's just give them access to the
ability to check for blacklisting.
Change-Id: I25be3bde6a01063034702a9574b28469bf4882cd
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Two problems:
- The signal cacheCredidentials was not connected in the synchronous
case while it must be connected. (Regression when the threaded http
was merged)
- We cannot cache the credidentials when we proceed the url because
at that point, we do not know the realm (this basically reverts
9bc5a32b875b812c3a706034c8c27614f86bd138)
Task-number: QTBUG-18411
Change-Id: I8ea11fa23db4314c3f17ed06d2d7f9ee934ccdba
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
... as did browser vendors.
Tested manually with affected CA certificates.
Reviewed-by: Richard J. Moore <rich@kde.org>
(cherry picked from commit e1d6df4e5931ee49b4b68dd5a33146f5639268b7)
Change-Id: I5bf6c147abf6d2de0f313d65faa2d9a1e9684cea
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
... by adding a new class QSslCertificateExtension and methods in
QSslCertificate to support extensions. This is needed e.g. for OCSP
(checking revocation status of a certificate) or Extended Validation
certificates.
Change-Id: I5c5d9513fa640cd487786bb9a5af734afebd0828
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
The Proxy-Connection header is a non standard header, but is widely
used so forming a de-facto standard.
Some proxies use the official Connection header, so we should check
for that in responses. Otherwise https connections over http proxy
fail in case the proxy sends "Connection: close" with the 407 reply.
Task-number: QTBUG-22177
Change-Id: If6cfa4ebb7ac9d97d65b6ddcc8257aee20ac0448
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
(cherry picked from commit 9d5c920bb23b949a0b98f1268679a0a2c06dd1d9)
Change-Id: Id99040051afe97bca3b1a8e4e3ae5a4c7f617cc9
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Symbian is no longer a supported platform.
Change-Id: Ifcb2e05661b16acc6307a4ccfaa42586750734c1
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
This should be API-compatible with Qt 4, but is not ABI-compatible, due to
removing the enum from QUdpSocket.
Task-number: QTBUG-121
Change-Id: I967968c6cb6f96d3ab1d6300eadd5bde6154b300
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
This should have always been the case, as it simply makes sense, but the
upcoming moving of binding to QAbstractSocket will require this for autotesting.
Change-Id: Ieef70196616227e7914c76fff5388a4068c36efb
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
It was originally added to keep compatibility with the bearer management module from Qt Mobility, and no longer needed in Qt 5.
Change-Id: I187494e02a71c3d39a52f8c0bd4d0c7cc23d0b4b
Reviewed-by: Aaron McCarthy <aaron.mccarthy@nokia.com>
the generic systemProxyForQuery will use http_proxy from the
environment, if it is set.
Change-Id: Ie685c47eb6df1fdd2ab223defc7172bb25e6fe30
Reviewed-by: Thiago Macieira (Intel) <thiago.macieira@intel.com>
Various places in QtNetwork checked for Localhost or LocalHostIPv6,
i.e. 127.0.0.1 or ::1. By using the isLoopback API, other loopback
addresses are treated the same way (e.g. 127.0.0.2 and ::ffff:127.0.0.1)
Task-number: QTBUG-22246
Change-Id: I46f55630d8646fd68034a509969a0b7cb72ca77c
Reviewed-by: Thiago Macieira (Intel) <thiago.macieira@intel.com>
The standard IPv4 loopback address is 127.0.0.1, however anything in
the 127.0.0.0/8 range is also a loopback address.
isLoopback returns true for any address that is in the IPv4 loopback
address range, or is the single IPv6 loopback address ::1
Task-number: QTBUG-22246
Change-Id: Ic39100e2e97a52db700e01b109998a1cfd4335e3
Reviewed-by: Thiago Macieira (Intel) <thiago.macieira@intel.com>
QAtomicInt has a constructor, so QBasicAtomicInt needs to be used
instead to allow compile time initialisation.
Task-Number: QTBUG-20343
Reviewed-By: Olivier Goffart
(cherry picked from commit 29495592d27505feff024d574e1333809794c304)
Change-Id: Ia531c74f47daa86ba24a1b01bee36ddb1101af11
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Certain FTP servers refuse the SIZE command in ASCII mode (proftpd)
or refuse the SIZE command in ASCII mode for large files.
This is a security feature, as the SIZE command requires reading
the whole file and counting line ends which can cause denial of
services. In binary mode, the file size on disc is reported, which
is a relatively quick operation.
Qt had two problems here:
1. when size command fails, the total size was reported as -1,
whereas the documentation of QFtp::dataTransferProgress states
it should be reported as 0 (so that QProgressDialog can display
a wait note rather than progress bar)
2. SIZE command was sent before setting the type of the transfer
to ASCII / Binary. This is a problem as the size reported by
the server is incorrect. Also it usually means sending ASCII
SIZE for Binary transfers, which results in the 550 error on
FTP servers with DOS protection.
Task-Number: QTTH-1428
Reviewed-By: Peter Hartmann
(cherry picked from commit 72bf6105214bfc26cff33632f7f4bdeed9cdf362)
Change-Id: Ie1f356c34d6a04362eaca64befb00788f85c0ccb
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
There are lots of buggy SSL servers around and to connect to them you
need to disable various features. This commit adds the ability to
disable the SSL ticket extension, the ability to disable the insertion
of empty fragments, and the ability to disable compression.
Task-number: QTBUG-21906
Change-Id: I3e1d0347a46e9030b889bbf15b2aad19b8513b73
Merge-request: 68
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
startHostInfoLookup will try to detect if IPv4 or IPv6 will be used
when connecting to the host. If a proxy is set we should lookup
the proxy hostname instead, in case host name can't be resolved
via DNS and should be resolved by the proxy.
Task-number: QTBUG-21889
Change-Id: I2012798784fc40f153469a1298e261c52981297e
Reviewed-on: http://codereview.qt-project.org/6447
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
When two threads construct a QNetworkAccessManager at exactly the
same time on an SMP system, there are construction races for some
Q_GLOBAL_STATIC data. This is normal and expected - the losing
thread deletes its instance as part of the Q_GLOBAL_STATIC macro.
For QNetworkAccessBackendFactoryData, a guard mechanism intended
to prevent the data being reconstructed by destructors of other
global static classes was being set by the loser.
To fix this, the bool is changed to a QAtomicInt. In the normal
case, it will have value 0->1 on startup and 1->0 on shutdown.
In the race case, it will have values 0->1->2->1 on startup and
1->0 on shutdown.
Task-Number: QTBUG-20343
Change-Id: Ie3fe38944d10809d1ccdbe772df82d67faffe19c
Reviewed-on: http://codereview.qt-project.org/6181
Sanity-Review: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
The current code was meant to be a thread-safe initialisation that
also ran a couple of extra steps. But it wasn't. While it's ok to call
qAddPostRoutine(), the call to updateConfigurations() was
thread-unsafe. It is possible that another thread got the pointer to
the Private before updateConfigurations() finished.
So instead protect the initialisation with a mutex.
It's possible that the value of the pointer becomes visible to
other processors before the other contained values, so use
atomics here.
To call qAddPostRoutine safely from the main thread, use the trick
of deleteLater() (which is thread-safe) in another thread connecting
to a slot.
Change-Id: If9bab88138755df95a791f34b0be8684207979d7
Reviewed-on: http://codereview.qt-project.org/5028
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Bradley T. Hughes <bradley.hughes@nokia.com>
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
QHttpNetworkReply was waiting for a body to be sent for 401 and 407
responses, whereas with a HTTP HEAD request, there will be no body.
This delayed the authentication signal until after the http channel
is closed by the server after a timeout. For example with the server
used for autotesting, the authentication signal is delayed 15 seconds.
When the server has a very long timeout, the authentication signal may
not be emitted at all.
Task-Number: QT-5304
Reviewed-By: Martin Petersson
(cherry picked from commit 8610ee14b8636641651a8ba6040cca16c4141ed6)
Change-Id: Ie4ce6c598df86ce59910f793fd5ae7c1ccf39f9d
Reviewed-on: http://codereview.qt-project.org/6032
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Martin Petersson <Martin.Petersson@nokia.com>
The QHttpNetworkConnectionPrivate::errorDetail is supposed to return a
translated string, which is then set as the QNetworkReply error.
The current code incorrectly uses QT_TRANSLATE_NOOP,
which mark the strings for translation, but does not translate them.
The result is that even with a translator loaded those strings are
written in English.
Fixes QTBUG-18382.
Merge-request: 2671
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@nokia.com>
(cherry picked from commit 434686a926a2a6e71f3cdea2508898b7800f7c81)
Change-Id: I8673cef7671d41106f50b75e78394916f3b720c9
Reviewed-on: http://codereview.qt-project.org/4691
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@nokia.com>
and do not only check leaf certificates, but all intermediates and
the root. Tested manually with the cross-signed intermediates.
Change-Id: I860dc9b568bc244abc9228486dbb374a1a2b47c4
Reviewed-by: Richard J. Moore <rich@kde.org>
(cherry picked from commit 64adbd0c5775f97343afbe0e7b5fde0d70bdaedd)
Reviewed-on: http://codereview.qt.nokia.com/4291
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
... to reduce the possibility of blacklisting valid certificates that
happen to have the same serial number as a blacklisted one, which is
unlikely, but possible.
Reviewed-by: Richard J. Moore <rich@kde.org>
(cherry picked from commit 6b1a8129623e3716f2fc075608b260ce7c381fe2
and adapted to the source incompatible change)
Change-Id: If714c34f6ce028032eee6d68f34d088b6ad5a0cc
Reviewed-on: http://codereview.qt.nokia.com/3895
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Also export two symbols for auto tests since opaque keys
need EVP_PKEY * created by openssl.
Change-Id: Ib7801ddfceb259de7291bfaa5940df87f68af97d
Merge-request: 48
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-on: http://codereview.qt.nokia.com/4011
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
This allow to use directly EVP_PKEY * with QSslKey (for
example comming from a PKCS#11 dongle).
Change-Id: Icb1ba5081506a831ec3d8cfffe13ce70939608ea
Merge-request: 48
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-on: http://codereview.qt.nokia.com/4010
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
blacklist the leaf certificate for now. There might well be more fake
certificates in the wild, for that either the Diginotar.nl root cert
needs to be disabled on the system or OCSP would need to be enabled
(not supported by Qt yet).
Reviewed-by: Richard J. Moore <rich@kde.org>
(cherry picked from commit 70f6a1b91b242174682c30be976c2aa36c450cc7)
Change-Id: I7cd3fdc4c6e85202914764f983a60d301e54aa35
Reviewed-on: http://codereview.qt.nokia.com/3893
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
For the Happy eyeballs implementation we use two channels for the case
where a host lookup gives us both Ipv4 and Ipv6 addresses.
In the case where the Connection is setup to only use one channel
we can not use this solution, so in this case we should use the old
way of connecting with one channel.
Task-number: QTBUG-20981
Change-Id: I6590fb4c67d6a8261cd0e4da8f99cd3603bbb524
Reviewed-on: http://codereview.qt.nokia.com/3524
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Setting only a password (no username) for HTTP requests does not
result in the password being sent.
Only cancel authentication if neither a username nor a password is set.
Requiring a username was preventing user-less logins.
Merge-request: 1250
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Task-number: QTBUG-15566
(cherry picked from commit 6057909d2b73c2c3aa01a0e9216714ef07fb652f)
Change-Id: I23a52362e3e8cf114219accca2b548ceb9dccff7
Reviewed-on: http://codereview.qt.nokia.com/2940
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
... and add a new method subjectAlternativeNames() instead. This was
a typo in the API.
Change-Id: Id8704c387c9ff8e1af2b9a524ff628f5c053a294
Reviewed-on: http://codereview.qt.nokia.com/2618
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: João Abecasis <joao.abecasis@nokia.com>
In Qt 4.8 this generated a warning. For Qt 5 we should no longer
accept file urls without a scheme set. So you should use file://
for local files.
Change-Id: I57789e2b56b712aa4f370aec9437c6febf0d0211
Reviewed-on: http://codereview.qt.nokia.com/1822
Reviewed-by: Markus Goetz
there are return statements between locking and unlocking, so to not
leave the mutex locked when returning, this commit introduces a
QMutexLocker.
Change-Id: I74e2f329bf116e92250189bf097deb47d460d9dc
Reviewed-on: http://codereview.qt.nokia.com/1656
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Markus Goetz
