summaryrefslogtreecommitdiffstats
path: root/src/network/ssl
Commit message (Collapse)AuthorAgeFilesLines
...
* | | | setPeerVerifyMode() and peerVerifyMode() comments fixTaito Silvola2011-05-051-2/+2
|/ / /
* | | QSslConfiguration: fix equals operatorPeter Hartmann2011-04-151-1/+1
|/ /
* | Merge branch 'master' of scm.dev.troll.no:qt/qt-earth-team into ↵Shane Kearns2011-04-118-37/+69
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | symbian-socket-engine Conflicts: src/s60installs/bwins/QtCoreu.def src/s60installs/bwins/QtGuiu.def src/s60installs/bwins/QtNetworku.def src/s60installs/eabi/QtCoreu.def src/s60installs/eabi/QtGuiu.def src/s60installs/eabi/QtNetworku.def src/s60installs/eabi/QtOpenVGu.def tests/auto/qabstractnetworkcache/tst_qabstractnetworkcache.cpp
| * | SSL code: introduce new error value for blacklisted certificatesPeter Hartmann2011-04-073-7/+14
| | | | | | | | | | | | | | | | | | | | | | | | improve error reporting by introducing a new enum value in case the peer certificate is blacklisted. Reviewed-by: Markus Goetz Task-number: QTBUG-18338
| * | Merge branch 'master' of scm.dev.nokia.troll.no:qt/qt into earth-masteraxis2011-04-073-4/+38
| |\ \ | | | | | | | | | | | | | | | | Conflicts: src/corelib/thread/qthread_unix.cpp
| | * \ Merge remote-tracking branch 'origin/4.7' into qt-master-from-4.7Olivier Goffart2011-03-313-4/+38
| | |\ \ | | | |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: doc/src/declarative/example-slideswitch.qdoc doc/src/development/qmake-manual.qdoc doc/src/snippets/code/doc_src_qmake-manual.pro doc/src/snippets/code/doc_src_qtscript.qdoc src/corelib/animation/qabstractanimation.cpp src/s60installs/bwins/QtOpenGLu.def src/s60installs/eabi/QtOpenGLu.def src/s60installs/eabi/QtOpenVGu.def tests/auto/qdir/qdir.pro tests/auto/qsslsocket/tst_qsslsocket.cpp tools/qdoc3/doc/qdoc-manual.qdocconf
| | | * QSslSocket internals: abort on encountering blacklisted certificatesPeter Hartmann2011-03-251-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | tested manually with "openssl s_server -cert blacklisted.pem -key key.pem" and connecting a QSslSocket. Reviewed-by: Markus Goetz Task-number: QTBUG-18338
| | | * QSslCertificate: report fraudulent certificates as invalidPeter Hartmann2011-03-242-4/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are some fraudulent certificates in the wild that are not valid; this patch introduces a blacklist of serial numbers of those certificates. Reviewed-by: Richard J. Moore Reviewed-by: Markus Goetz Task-number: QTBUG-18338
| * | | QSslSocket: fix setReadBufferSizeMartin Petersson2011-03-311-8/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This fix the qnetworkreply::ioPostToHttpsUploadProgress() auto test. Before the readbuffer where always limited to 1k for ssl sockets. Reviewed-by: Markus Goetz
| * | | QSslConfiguration: do not lazily construct the d-pointerPeter Hartmann2011-03-283-25/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ...the private class is cheap anyway; and lazy construction lead to problems like setting an empty default configuration would crash etc. Reviewed-by: Markus Goetz Task-number: QTBUG-17550
* | | | Merge remote branch 'earth/master' into symbian-socket-engineShane Kearns2011-03-256-11/+38
|\ \ \ \ | |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: src/network/access/qhttpnetworkconnectionchannel.cpp src/network/socket/qlocalsocket.cpp src/s60installs/bwins/QtCoreu.def src/s60installs/bwins/QtGuiu.def src/s60installs/bwins/QtTestu.def src/s60installs/eabi/QtCoreu.def src/s60installs/eabi/QtGuiu.def
| * | | SSL: send SNI extension only if not connecting to an IPPeter Hartmann2011-03-221-1/+2
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | otherwise the host name and the name we send in the SNI header (the IP) would not match. Reviewed-by: Thiago Macieira Reviewed-by: Richard J. Moore Task-number: QTBUG-18258
| * | Merge remote-tracking branch 'origin/4.7' into HEADThiago Macieira2011-03-161-2/+11
| |\ \ | | |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: configure mkspecs/symbian-gcce/qmake.conf qmake/generators/metamakefile.cpp qmake/generators/win32/mingw_make.cpp src/corelib/global/global.pri src/corelib/global/qglobal.h src/opengl/qgl.cpp src/opengl/qwindowsurface_gl.cpp src/plugins/platforms/wayland/qwaylandbuffer.h tests/auto/qnetworkreply/tst_qnetworkreply.cpp tools/designer/src/components/formeditor/qdesigner_resource.cpp
| | * SSL: Fix certification loading on Mac OS X 10.5Martin Petersson2011-03-141-2/+11
| | | | | | | | | | | | | | | | | | | | | Do not add the expired certificates on Mac OS X 10.5. Task-number: QTBUG-14520 Reviewed-by: Markus Goetz
| * | SSL: give protocol enum SecureProtocols an own valuePeter Hartmann2011-03-154-6/+8
| | | | | | | | | | | | | | | | | | | | | | | | ... so that an application that uses SecureProtocols can make use of updates to a Qt version without being recompiled. Reviewed-by: Markus Goetz Reviewed-by: Richard J. Moore
| * | SSL backend: avoid setting SNI hostname for old SSL versionsPeter Hartmann2011-03-142-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | With this patch, we only use SNI functionality when the SSL version supports it (meaning when using TLS), otherwise the function call would trigger a warning. Reviewed-by: Markus Goetz
| * | SSL: Switch default version to TlsV1SslV3 (i.e. use TLS 1 or SSL 3)Peter Hartmann2011-03-145-5/+8
| | | | | | | | | | | | | | | | | | | | | | | | ... and introduce a new enum SecureProtocols. Switching the default version is better for compatibility (e.g. servers using this option will understand both TLS and SSL 3). Reviewed-by: Markus Goetz
| * | SSL: introduce new option TlsV1SslV3 for SSL communicationPeter Hartmann2011-03-143-1/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | currently there are 3 supported protocols: SSL2, SSL3 and TLS1. SSL2 is considered insecure and should not be used anymore. This commit offers an option to use both TLS1 and SSL3, leaving SSL2 out. Part-of-the-patch-by: Darren Lissimore Reviewed-by: Markus Goetz Task-number: QTBUG-12338
* | | SSL: fix compilation on WindowsMartin Petersson2011-03-151-0/+1
| | | | | | | | | | | | Reviewed-by: Markus Goetz
* | | Merge branch 'symbian-socket-engine' of ↵Shane Kearns2011-03-081-0/+4
|\ \ \ | |/ / |/| | | | | | | | | | | | | | | | | scm.dev.troll.no:qt/qt-symbian-network into symbian-socket-engine Conflicts: src/network/access/qnetworkaccessmanager.cpp tests/auto/qsslsocket/tst_qsslsocket.cpp
| * | Explicit network session for QNetworkAccessManagerShane Kearns2011-02-171-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implemented a tunnel to get the QNetworkSession from QNetworkAccessManager down to the socket engine. This is currently a private API for QNAM. This patch only implements the FTP backend - the other backends are to follow. On Symbian, the native socket engine will extract the native session (RConnection) from the QNetworkSession implementation, and use that to open sockets using the explicitly specified session. When no session is specified on the socket (default for networking usage outside of QNAM) then the socket is opened with no RConnection specified, which allows the IP stack to find any route via an open interface. The QFtp autotest is enhanced to test QFtp with an explicit session as well as implicit connectivity (where a QNetworkSession is opened by the user, and then QFtp is used without a specified connection). This autotest gives better coverage than the FTP test cases in QNetworkReply. Reviewed-by: Markus Goetz
* | | SSL backend: check at runtime for the right OpenSSL version for SNIPeter Hartmann2011-03-044-3/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | SNI = Server Name Indication. The function "SSL_ctrl()" has been there since always in OpenSSL, but not with the specific enum SSL_CTRL_SET_TLSEXT_HOSTNAME, so let's avoid the call for older versions. Additionally, fix the resolving of SSL_CTX_load_verify_locations for Symbian (is not used in Symbian yet). Reviewed-by: Markus Goetz
* | | SSL TLS extension on Symbian: work around missing symbolPeter Hartmann2011-02-281-0/+6
| | | | | | | | | | | | | | | | | | | | | ... by defining it ourselves. That symbol is missing in the header files for Symbian. Reviewed-by: Shane Kearns
* | | SSL: Switch default version to TLS 1.0Peter Hartmann2011-02-284-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TLS is backward compatible, so servers only supporting SSL 3 should still work. All browsers send a TLS 1.0 Client Hello these days. However, some servers apparently have problems with a TLS handshake (and a SNI message); for now, wait and see how many of them are broken and either add a fallback to SSLv3 or blacklist them (i.e. set the used SSL version for those servers explicitly). Reviewed-by: Markus Goetz
* | | QSslSocket backend: resolve symbols for SNI for SymbianPeter Hartmann2011-02-281-0/+3
| | | | | | | | | | | | Task-number: QTBUG-1352
* | | Add QSslSocket::setPeerVerifyName()/peerVerifyName()David Faure2011-02-282-0/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | This allows to set the sslPeerName even when not using connectToHostEncrypted, but rather connectToHost + startClientEncryption Task-number: QTBUG-1352 Merge-request: 1110 Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
* | | QSslSocket SNI: prefer verificationPeerName then peerName then hostNameDavid Faure2011-02-281-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | As suggested by p--hartmann in a comment for MR 1574. Task-number: QTBUG-1352 Merge-request: 1110 Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
* | | Add Server Name Identification (RFC4366 section 3.1)Daniel Black2011-02-284-0/+22
| | | | | | | | | | | | | | | | | | | | | | | | ...to client QSslSocket connections when supported by openssl as per task tracker id #188841 Merge-request: 1574 Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
* | | Merge remote branch 'earth/master' into masterJoão Abecasis2011-02-285-14/+71
|\ \ \ | |_|/ |/| |
| * | SSL backend: loat root certificates on demand on Unix (excluding Mac)Peter Hartmann2011-02-235-14/+71
| |/ | | | | | | | | | | | | | | | | | | Previously, on initializing the first QSslSocket, we read all root certificates into memory (~ 150 files). Now, we tell OpenSSL where to find the root certificates, so that they can be loaded on demand (if supported, see 'man c_rehash' for details). Reviewed-by: Markus Goetz Task-number: QTBUG-14016
* | SSL: fix memory leak when loading certificates on Mac OS XMartin Petersson2011-02-161-0/+1
|/ | | | Reviewed-by: Markus Goetz
* Update copyright year to 2011.Jason McDonald2011-01-1023-23/+23
| | | | Reviewed-by: Trust Me
* Fix warning about use of uninitialised variableThiago Macieira2010-11-261-1/+1
|
* Merge branch '4.7' of scm.dev.nokia.troll.no:qt/qt-s60-public into ↵Qt Continuous Integration System2010-11-191-2/+10
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 4.7-integration * '4.7' of scm.dev.nokia.troll.no:qt/qt-s60-public: (21 commits) Fixed handling of QInputMethodEvents with nonzero replacementLength. Fixed namespace issues related to epocroot.cpp Corrected ASCII comparison and removed extra braces Add symbian scope for qfiledialog_symbian.cpp Resolve EPOCROOT in qt.conf using same logic as in .pro Make epocroot resolving compatible with more build environments Fix for QtOpenGL RVCT4 compilation error Removed extra cpp and done changes based on comments Correct flags for Symbian file dialogs Fix for WServ 64 crash on Symbian. Use include(original mkspec) instead of copying of mkspec to default Fixed code style of d92cbfc5, reported by git push. Switched qdesktopservices to use SchemeHandler for Symbian^3 and later. Removed unnecessary Q_OS_SYMBIAN flags from qdesktopservices_s60.cpp. Documented usage of dialogs on Symbian Native file dialog on Symbian^3 Add Location as self signable capability in patch_capabilities.pl Localize .loc and .pkg content based on TRANSLATIONS Bump Qt version to 4.7.2. SSL: Fix for systemCaCertificates being called first on symbian ...
| * Merge remote branch 'qt/4.7' into 4.7Jason McDonald2010-11-182-17/+28
| |\ | | | | | | | | | | | | | | | Conflicts: tools/qdoc3/test/qt-build-docs.qdocconf tools/qdoc3/test/qt.qdocconf
| * | SSL: Fix for systemCaCertificates being called first on symbianShane Kearns2010-11-111-2/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On symbian, thread names must be unique (actually kernel object names) When a thread exits, there may still be open handles, for example a debugger or RUndertaker so the thread name cannot be reused immediately. S60 has an RUndertaker instance in a background thread, which is used to display the "application closed" messages when a crash happens. Until that thread has run and checked the thread exit to see if it was a crash or not, the thread remains open. When systemCaCertificates is called as the first API call, it calls itself via ensureinitialised() to set the default CA certs. This double call should be addressed by QTBUG-15218. In any case, QSslSocket::systemCaCertificates() is intended to refresh from the system - if application code calls it too quickly in succession it could also trigger this bug. Task-number: QTBUG-15126 Reviewed-by: Markus Goetz
* | | Doc: Fixing typoSergio Ahumada2010-11-161-1/+1
| |/ |/|
* | Merge branch '4.7' of scm.dev.nokia.troll.no:qt/oslo-staging-1 into ↵Qt Continuous Integration System2010-11-112-17/+28
|\ \ | |/ |/| | | | | | | | | | | | | | | | | | | | | 4.7-integration * '4.7' of scm.dev.nokia.troll.no:qt/oslo-staging-1: Minor adjustments to merge-request 915 Implement brush transformations for directfb. Add FreeBSD's certificate bundle to the certificates list. SSL internals: upon error, read all errors from OpenSSL Added an example for QTest::touchEvent to the documentation. Push and pop the thread-default context for the current thread Fix compilation by s/intptr_t/quintptr/
| * Add FreeBSD's certificate bundle to the certificates list.Raphael Kubo da Costa2010-11-111-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The FreeBSD base system does not ship a certificate bundle, but the ca_root_nss port provides one extracted from Mozilla's root CA list. As discussed in QTBUG-14013, it should be preferrable to have bundle files than separate certificate files, so the path for the certificate has been added directly. Signed-off-by: Raphael Kubo da Costa <kubito@gmail.com> Merge-request: 896 Reviewed-by: Thiago Macieira <thiago.macieira@nokia.com>
| * SSL internals: upon error, read all errors from OpenSSLPeter Hartmann2010-11-112-17/+27
| | | | | | | | | | | | | | | | | | | | | | ... and not only the last one. One call to OpenSSL can produce several errors, which we should always read all. Otherwise, malicious clients could intentionally poison the error queue. Inspired-by: Merge request 2290 Reviewed-by: Olivier Goffart Reviewed-by: Markus Goetz Task-number: QTBUG-14513
* | SSL: Fix crashes/hangs when retrieving CA certificatesShane Kearns2010-11-112-16/+60
|/ | | | | | | | | | | | | | | | | Added error handling to the certificate retrieval thread Made the certificate retrieval thread process critical (so if it crashes the process will crash instead of hang) Filter the certificate list to only fetch CA certificates which are in X.509 format (symbian also allows WAP formats, but Qt does not support these). Put the TPtr8 for asynch function parameter in the class data so it does not go out of scope while the function is in progress. Previously it was on the stack so it could be corrupted before the certificate server had finished using it. Task-number: QTBUG-15005 Task-number: QTBUG-15126 Reviewed-by: Markus Goetz
* Sockets: Private function for pausing/resuming notifiersMarkus Goetz2010-10-272-0/+16
| | | | | | | | | | This will be used by QNAM to prevent event loop recursion while emitting signals that often spin an event loop, e.g. authenticationRequired() displaying a dialog for the user. Reviewed-by: Peter Hartmann Reviewed-by: Prasanth Task-Number: QTBUG-13234
* Fixed many spelling errors.Rohan McGovern2010-10-251-1/+1
|
* Merge commit 'doc-team/4.7' into 4.7Morten Engvoldsen2010-10-071-3/+4
|\
| * Doc: Fix broken links in QSslConfigurationGeir Vattekar2010-10-061-3/+4
| | | | | | | | | | Task-number: QTBUG-14213 Reviewed-by: David Boddie
* | Make the OpenSSL library search also hit /lib.Thiago Macieira2010-10-011-1/+1
|/ | | | | Task-number: http://bugs.meego.com/show_bug.cgi?id=7777 Reviewed-by: Markus Goetz
* QSslSocket speed up loading of system certificates on Unix (not Mac)Peter Hartmann2010-09-282-9/+30
| | | | | | | | | | ... by only reading in a certificate once. Before, we were adding all files from all directories; since they often contained symlinks, the same certificate was added several times. Reviewed-by: Markus Goetz Reviewed-by: Thiago Macieira Task-number: QTBUG-14013
* QSslSocketPrivate::systemCaCertificates() hangs sometimes on SymbianJuha Turunen2010-09-092-134/+136
| | | | | | | | | | | | | | The patch fixes the hanging issues on some Symbian devices that occurs while retrieving certificates from the Symbian certificate store. The hanging was caused by the certificate info array not being closed before exiting the thread. This alone wouldn't make the existing implementation work, so the patch replaces it with a pure Symbian style implementation which doesn't seem to be affected (probably some OpenC threads issue). Merge-request: 808 Reviewed-by: Shane Kearns Reviewed-by: Simon Hausmann <simon.hausmann@nokia.com> Task: QTBUG-13033
* Merge remote branch 'origin/4.6' into qt-4.7-from-4.6Thiago Macieira2010-09-071-9/+27
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: qmake/Makefile.win32 src/corelib/io/qfsfileengine_win.cpp src/corelib/kernel/qeventdispatcher_win.cpp src/gui/dialogs/qfiledialog_win.cpp src/gui/inputmethod/qcoefepinputcontext_s60.cpp src/gui/text/qfontdatabase_win.cpp src/gui/util/qsystemtrayicon_win.cpp src/script/utils/qscriptdate.cpp tests/auto/qinputcontext/tst_qinputcontext.cpp tests/auto/qscriptengine/tst_qscriptengine.cpp
| * Ensure that we load system libraries from the correct location.Jan-Arve Sæther2010-09-031-9/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This was a security hole that has been there for a while, but the public awareness have recently rised so the threat is more imminent now. The solution is to fix all places where we dynamically load system libraries. More specifically, we now load all system libraries with an absolute path that points to a library in the system directory (usually c:\windows\system32). We therefore introduce a small class named QSystemLibrary that only loads libraries located in the system path. This shares some of the API with QLibrary (in order to make the patch as small as possible). We don't fix QLibrary due to risk of regressions. In addition, applications can fix the code that calls QLibrary themselves. The problem does not apply to Windows CE, since the search order is documented as not searching in the current directory. However, it touches some CE-specific code - therefore QSystemLibrary is sometimes used on WinCE (however, it will just do a normal LoadLibrary() since its safe anyway). This change does not affect the testability plugin (it is not clearly documented where that plugin is located, and the plugin should never be used in production code anyway) Loading OpenSSL libraries The ssl libraries are handled specially, and searched in this order (we cannot expect them to always be in the system folder): 1. Application path 2. System libraries path 3. Trying all paths inside the PATH environment variable Task-number: QT-3825 Reviewed-by: Thiago Macieira Reviewed-by: Peter Hartmann
generated by cgit v0.12 at 2025-04-18 22:26:49 (GMT)