SSL: introduce new option TlsV1SslV3 for SSL communication

currently there are 3 supported protocols: SSL2, SSL3 and TLS1. SSL2 is considered insecure and should not be used anymore. This commit offers an option to use both TLS1 and SSL3, leaving SSL2 out. Part-of-the-patch-by: Darren Lissimore Reviewed-by: Markus Goetz Task-number: QTBUG-12338
author: Peter Hartmann <peter.hartmann@nokia.com> 2011-03-14 13:28:34 (GMT)
committer: Peter Hartmann <peter.hartmann@nokia.com> 2011-03-14 16:47:40 (GMT)
commit: b2c8421ff95ad62cbd67843ad5cd3edf72ecda31 (patch)
tree: e919c4f9c5b13ee32be1ada6cedcd52c2e3c3256 /src/network/ssl
parent: d0e46f9221b614007cc4dea25e0f83d10f1c2f11 (diff)
download: Qt-b2c8421ff95ad62cbd67843ad5cd3edf72ecda31.zip
Qt-b2c8421ff95ad62cbd67843ad5cd3edf72ecda31.tar.gz
Qt-b2c8421ff95ad62cbd67843ad5cd3edf72ecda31.tar.bz2
3 files changed, 10 insertions, 1 deletions
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
index 8a450b9..241eb12 100644
--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
@@ -107,6 +107,9 @@ QT_BEGIN_NAMESPACE
     \value UnknownProtocol The cipher's protocol cannot be determined.
     \value AnyProtocol The socket understands SSLv2, SSLv3, and TLSv1. This
     value is used by QSslSocket only.
+    \value TlsV1SslV3 On the client side, this will send
+    a TLS 1.0 Client Hello, enabling TLSv1 and SSLv3 connections.
+    On the server side, this will enable both SSLv3 and TLSv1 connections.
 
     Note: most servers using SSL understand both versions (2 and 3),
     but it is recommended to use the latest version only for security
diff --git a/src/network/ssl/qssl.h b/src/network/ssl/qssl.h
index 4c035fd..e13ee78 100644
--- a/src/network/ssl/qssl.h
+++ b/src/network/ssl/qssl.h
@@ -77,6 +77,7 @@ namespace QSsl {
         SslV2,
         TlsV1,
         AnyProtocol,
+        TlsV1SslV3,
         UnknownProtocol = -1
     };
 }
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 646889c..8da3bb7 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -259,6 +259,7 @@ init_context:
     case QSsl::SslV3:
         ctx = q_SSL_CTX_new(client ? q_SSLv3_client_method() : q_SSLv3_server_method());
         break;
+    case QSsl::TlsV1SslV3: // TlsV1SslV3 will be disabled below
     case QSsl::AnyProtocol:
     default:
         ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method());
@@ -284,7 +285,11 @@ init_context:
     }
 
     // Enable all bug workarounds.
-    q_SSL_CTX_set_options(ctx, SSL_OP_ALL);
+    if (configuration.protocol == QSsl::TlsV1SslV3) {
+        q_SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
+    } else {
+        q_SSL_CTX_set_options(ctx, SSL_OP_ALL);
+    }
 
     // Initialize ciphers
     QByteArray cipherString;
author	Peter Hartmann <peter.hartmann@nokia.com>	2011-03-14 13:28:34 (GMT)
committer	Peter Hartmann <peter.hartmann@nokia.com>	2011-03-14 16:47:40 (GMT)
commit	b2c8421ff95ad62cbd67843ad5cd3edf72ecda31 (patch)
tree	e919c4f9c5b13ee32be1ada6cedcd52c2e3c3256 /src/network/ssl
parent	d0e46f9221b614007cc4dea25e0f83d10f1c2f11 (diff)
download	Qt-b2c8421ff95ad62cbd67843ad5cd3edf72ecda31.zip Qt-b2c8421ff95ad62cbd67843ad5cd3edf72ecda31.tar.gz Qt-b2c8421ff95ad62cbd67843ad5cd3edf72ecda31.tar.bz2