Merge remote branch 'earth/master' into symbian-socket-engine

Conflicts: src/network/access/qhttpnetworkconnectionchannel.cpp src/network/socket/qlocalsocket.cpp src/s60installs/bwins/QtCoreu.def src/s60installs/bwins/QtGuiu.def src/s60installs/bwins/QtTestu.def src/s60installs/eabi/QtCoreu.def src/s60installs/eabi/QtGuiu.def
author: Shane Kearns <shane.kearns@accenture.com> 2011-03-25 14:08:28 (GMT)
committer: Shane Kearns <shane.kearns@accenture.com> 2011-03-25 14:08:28 (GMT)
commit: 12fd077f71a8bc6f865e4e8a4ffe61d5d1b8a504 (patch)
tree: ba98e1ff32f288b47b0a05eb0fc293e3c3420889 /src/network/ssl
parent: be5e7924ec7bd6cccd626f931f55e2687910ad13 (diff)
parent: 116fed06f9ed561befb505d94b6b44dc71bf9e45 (diff)
download: Qt-12fd077f71a8bc6f865e4e8a4ffe61d5d1b8a504.zip
Qt-12fd077f71a8bc6f865e4e8a4ffe61d5d1b8a504.tar.gz
Qt-12fd077f71a8bc6f865e4e8a4ffe61d5d1b8a504.tar.bz2
6 files changed, 38 insertions, 11 deletions
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
index 8a450b9..5594296 100644
--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
@@ -103,10 +103,15 @@ QT_BEGIN_NAMESPACE
 
     \value SslV3 SSLv3
     \value SslV2 SSLv2
-    \value TlsV1 TLSv1 - the default protocol.
+    \value TlsV1 TLSv1
     \value UnknownProtocol The cipher's protocol cannot be determined.
     \value AnyProtocol The socket understands SSLv2, SSLv3, and TLSv1. This
     value is used by QSslSocket only.
+    \value TlsV1SslV3 On the client side, this will send
+    a TLS 1.0 Client Hello, enabling TLSv1 and SSLv3 connections.
+    On the server side, this will enable both SSLv3 and TLSv1 connections.
+    \value SecureProtocols The default option, using protocols known to be secure;
+    currently behaves like TlsV1SslV3.
 
     Note: most servers using SSL understand both versions (2 and 3),
     but it is recommended to use the latest version only for security
diff --git a/src/network/ssl/qssl.h b/src/network/ssl/qssl.h
index 4c035fd..24dbb09 100644
--- a/src/network/ssl/qssl.h
+++ b/src/network/ssl/qssl.h
@@ -75,8 +75,10 @@ namespace QSsl {
     enum SslProtocol {
         SslV3,
         SslV2,
-        TlsV1,
+        TlsV1, // ### Qt 5: rename to TlsV1_0 or so
         AnyProtocol,
+        TlsV1SslV3,
+        SecureProtocols,
         UnknownProtocol = -1
     };
 }
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index b0d5c90..150f77e 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -213,7 +213,7 @@ bool QSslConfiguration::isNull() const
 */
 QSsl::SslProtocol QSslConfiguration::protocol() const
 {
-    return d ? d->protocol : QSsl::TlsV1;
+    return d ? d->protocol : QSsl::SecureProtocols;
 }
 
 /*!
@@ -518,7 +518,7 @@ void QSslConfiguration::setCaCertificates(const QList<QSslCertificate> &certific
 
     \list
       \o no local certificate and no private key
-      \o protocol TlsV1
+      \o protocol SecureProtocols (meaning either TLS 1.0 or SSL 3 will be used)
       \o the system's default CA certificate list
       \o the cipher list equal to the list of the SSL libraries'
          supported SSL ciphers
diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h
index 47adace..a5af51a 100644
--- a/src/network/ssl/qsslconfiguration_p.h
+++ b/src/network/ssl/qsslconfiguration_p.h
@@ -80,7 +80,7 @@ class QSslConfigurationPrivate: public QSharedData
 {
 public:
     QSslConfigurationPrivate()
-        : protocol(QSsl::TlsV1),
+        : protocol(QSsl::SecureProtocols),
           peerVerifyMode(QSslSocket::AutoVerifyPeer),
           peerVerifyDepth(0)
     { }
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 827f0bb..5b943ab 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -552,7 +552,7 @@ bool QSslSocket::isEncrypted() const
 }
 
 /*!
-    Returns the socket's SSL protocol. By default, \l QSsl::TLSv1 is used.
+    Returns the socket's SSL protocol. By default, \l QSsl::SecureProtocols is used.
 
     \sa setProtocol()
 */
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 646889c..d6967fe 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -259,6 +259,8 @@ init_context:
     case QSsl::SslV3:
         ctx = q_SSL_CTX_new(client ? q_SSLv3_client_method() : q_SSLv3_server_method());
         break;
+    case QSsl::SecureProtocols: // SslV2 will be disabled below
+    case QSsl::TlsV1SslV3: // SslV2 will be disabled below
     case QSsl::AnyProtocol:
     default:
         ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method());
@@ -284,7 +286,11 @@ init_context:
     }
 
     // Enable all bug workarounds.
-    q_SSL_CTX_set_options(ctx, SSL_OP_ALL);
+    if (configuration.protocol == QSsl::TlsV1SslV3 || configuration.protocol == QSsl::SecureProtocols) {
+        q_SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
+    } else {
+        q_SSL_CTX_set_options(ctx, SSL_OP_ALL);
+    }
 
     // Initialize ciphers
     QByteArray cipherString;
@@ -319,9 +325,18 @@ init_context:
             q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle());
         }
     }
+
+    bool addExpiredCerts = true;
+#if defined(Q_OS_MAC) && (MAC_OS_X_VERSION_MAX_ALLOWED == MAC_OS_X_VERSION_10_5)
+    //On Leopard SSL does not work if we add the expired certificates.
+    if (QSysInfo::MacintoshVersion == QSysInfo::MV_10_5)
+       addExpiredCerts = false;
+#endif
     // now add the expired certs
-    foreach (const QSslCertificate &caCertificate, expiredCerts) {
-        q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle());
+    if (addExpiredCerts) {
+        foreach (const QSslCertificate &caCertificate, expiredCerts) {
+            q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle());
+        }
     }
 
     if (s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) {
@@ -393,13 +408,18 @@ init_context:
     }
 
 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
-    if (client && q_SSLeay() >= 0x00090806fL) {
+    if ((configuration.protocol == QSsl::TlsV1SslV3 ||
+        configuration.protocol == QSsl::TlsV1 ||
+        configuration.protocol == QSsl::SecureProtocols ||
+        configuration.protocol == QSsl::AnyProtocol) &&
+        client && q_SSLeay() >= 0x00090806fL) {
         // Set server hostname on TLS extension. RFC4366 section 3.1 requires it in ACE format.
         QString tlsHostName = verificationPeerName.isEmpty() ? q->peerName() : verificationPeerName;
         if (tlsHostName.isEmpty())
             tlsHostName = hostName;
         QByteArray ace = QUrl::toAce(tlsHostName);
-        if (!ace.isEmpty()) {
+        // only send the SNI header if the URL is valid and not an IP
+        if (!ace.isEmpty() && !QHostAddress().setAddress(tlsHostName)) {
             if (!q_SSL_ctrl(ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, ace.constData()))
                 qWarning("could not set SSL_CTRL_SET_TLSEXT_HOSTNAME, Server Name Indication disabled");
         }
author	Shane Kearns <shane.kearns@accenture.com>	2011-03-25 14:08:28 (GMT)
committer	Shane Kearns <shane.kearns@accenture.com>	2011-03-25 14:08:28 (GMT)
commit	12fd077f71a8bc6f865e4e8a4ffe61d5d1b8a504 (patch)
tree	ba98e1ff32f288b47b0a05eb0fc293e3c3420889 /src/network/ssl
parent	be5e7924ec7bd6cccd626f931f55e2687910ad13 (diff)
parent	116fed06f9ed561befb505d94b6b44dc71bf9e45 (diff)
download	Qt-12fd077f71a8bc6f865e4e8a4ffe61d5d1b8a504.zip Qt-12fd077f71a8bc6f865e4e8a4ffe61d5d1b8a504.tar.gz Qt-12fd077f71a8bc6f865e4e8a4ffe61d5d1b8a504.tar.bz2