diff options
| -rw-r--r-- | src/network/ssl/qssl.cpp | 4 | ||||
| -rw-r--r-- | src/network/ssl/qssl.h | 2 | ||||
| -rw-r--r-- | src/network/ssl/qsslconfiguration_p.h | 2 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 6 |
4 files changed, 8 insertions, 6 deletions
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp index e3dc84c..5594296 100644 --- a/src/network/ssl/qssl.cpp +++ b/src/network/ssl/qssl.cpp @@ -110,8 +110,8 @@ QT_BEGIN_NAMESPACE \value TlsV1SslV3 On the client side, this will send a TLS 1.0 Client Hello, enabling TLSv1 and SSLv3 connections. On the server side, this will enable both SSLv3 and TLSv1 connections. - \value SecureProtocols The default option, using protocols known to be secure. - Currently set to TlsV1SslV3. + \value SecureProtocols The default option, using protocols known to be secure; + currently behaves like TlsV1SslV3. Note: most servers using SSL understand both versions (2 and 3), but it is recommended to use the latest version only for security diff --git a/src/network/ssl/qssl.h b/src/network/ssl/qssl.h index 1980659..24dbb09 100644 --- a/src/network/ssl/qssl.h +++ b/src/network/ssl/qssl.h @@ -78,7 +78,7 @@ namespace QSsl { TlsV1, // ### Qt 5: rename to TlsV1_0 or so AnyProtocol, TlsV1SslV3, - SecureProtocols = TlsV1SslV3, + SecureProtocols, UnknownProtocol = -1 }; } diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h index 1c6815b..a5af51a 100644 --- a/src/network/ssl/qsslconfiguration_p.h +++ b/src/network/ssl/qsslconfiguration_p.h @@ -80,7 +80,7 @@ class QSslConfigurationPrivate: public QSharedData { public: QSslConfigurationPrivate() - : protocol(QSsl::TlsV1SslV3), + : protocol(QSsl::SecureProtocols), peerVerifyMode(QSslSocket::AutoVerifyPeer), peerVerifyDepth(0) { } diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 664fce2..3d7612a 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -259,7 +259,8 @@ init_context: case QSsl::SslV3: ctx = q_SSL_CTX_new(client ? q_SSLv3_client_method() : q_SSLv3_server_method()); break; - case QSsl::TlsV1SslV3: // TlsV1SslV3 will be disabled below + case QSsl::SecureProtocols: // SslV2 will be disabled below + case QSsl::TlsV1SslV3: // SslV2 will be disabled below case QSsl::AnyProtocol: default: ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); @@ -285,7 +286,7 @@ init_context: } // Enable all bug workarounds. - if (configuration.protocol == QSsl::TlsV1SslV3) { + if (configuration.protocol == QSsl::TlsV1SslV3 || configuration.protocol == QSsl::SecureProtocols) { q_SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2); } else { q_SSL_CTX_set_options(ctx, SSL_OP_ALL); @@ -400,6 +401,7 @@ init_context: #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) if ((configuration.protocol == QSsl::TlsV1SslV3 || configuration.protocol == QSsl::TlsV1 || + configuration.protocol == QSsl::SecureProtocols || configuration.protocol == QSsl::AnyProtocol) && client && q_SSLeay() >= 0x00090806fL) { // Set server hostname on TLS extension. RFC4366 section 3.1 requires it in ACE format. |