1 | // Copyright (C) 2016 The Qt Company Ltd. |
---|---|
2 | // Copyright (C) 2014 BlackBerry Limited. All rights reserved. |
3 | // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only |
4 | |
5 | #include "qssl_p.h" |
6 | #include "qsslconfiguration.h" |
7 | #include "qsslconfiguration_p.h" |
8 | #include "qsslsocket.h" |
9 | #include "qsslsocket_p.h" |
10 | #include "qmutex.h" |
11 | #include "qdebug.h" |
12 | |
13 | QT_BEGIN_NAMESPACE |
14 | |
15 | QT_IMPL_METATYPE_EXTERN(QSslConfiguration) |
16 | |
17 | const QSsl::SslOptions QSslConfigurationPrivate::defaultSslOptions = QSsl::SslOptionDisableEmptyFragments |
18 | |QSsl::SslOptionDisableLegacyRenegotiation |
19 | |QSsl::SslOptionDisableCompression |
20 | |QSsl::SslOptionDisableSessionPersistence; |
21 | |
22 | const char QSslConfiguration::ALPNProtocolHTTP2[] = "h2"; |
23 | const char QSslConfiguration::NextProtocolHttp1_1[] = "http/1.1"; |
24 | |
25 | /*! |
26 | \class QSslConfiguration |
27 | \brief The QSslConfiguration class holds the configuration and state of an SSL connection. |
28 | \since 4.4 |
29 | |
30 | \reentrant |
31 | \inmodule QtNetwork |
32 | \ingroup network |
33 | \ingroup ssl |
34 | \ingroup shared |
35 | |
36 | QSslConfiguration is used by Qt networking classes to relay |
37 | information about an open SSL connection and to allow the |
38 | application to control certain features of that connection. |
39 | |
40 | The settings that QSslConfiguration currently supports are: |
41 | |
42 | \list |
43 | \li The SSL/TLS protocol to be used |
44 | \li The certificate to be presented to the peer during connection |
45 | and its associated private key |
46 | \li The ciphers allowed to be used for encrypting the connection |
47 | \li The list of Certificate Authorities certificates that are |
48 | used to validate the peer's certificate |
49 | \endlist |
50 | |
51 | These settings are applied only during the connection |
52 | handshake. Setting them after the connection has been established |
53 | has no effect. |
54 | |
55 | The state that QSslConfiguration supports are: |
56 | \list |
57 | \li The certificate the peer presented during handshake, along |
58 | with the chain leading to a CA certificate |
59 | \li The cipher used to encrypt this session |
60 | \endlist |
61 | |
62 | The state can only be obtained once the SSL connection starts, but |
63 | not necessarily before it's done. Some settings may change during |
64 | the course of the SSL connection without need to restart it (for |
65 | instance, the cipher can be changed over time). |
66 | |
67 | State in QSslConfiguration objects cannot be changed. |
68 | |
69 | QSslConfiguration can be used with QSslSocket and the Network |
70 | Access API. |
71 | |
72 | Note that changing settings in QSslConfiguration is not enough to |
73 | change the settings in the related SSL connection. You must call |
74 | setSslConfiguration on a modified QSslConfiguration object to |
75 | achieve that. The following example illustrates how to change the |
76 | protocol to TLSv1_2 in a QSslSocket object: |
77 | |
78 | \snippet code/src_network_ssl_qsslconfiguration.cpp 0 |
79 | |
80 | \sa QSsl::SslProtocol, QSslCertificate, QSslCipher, QSslKey, |
81 | QSslSocket, QNetworkAccessManager, |
82 | QSslSocket::sslConfiguration(), QSslSocket::setSslConfiguration() |
83 | */ |
84 | |
85 | /*! |
86 | \enum QSslConfiguration::NextProtocolNegotiationStatus |
87 | |
88 | Describes the status of the Next Protocol Negotiation (NPN) or |
89 | Application-Layer Protocol Negotiation (ALPN). |
90 | |
91 | \value NextProtocolNegotiationNone No application protocol |
92 | has been negotiated (yet). |
93 | |
94 | \value NextProtocolNegotiationNegotiated A next protocol |
95 | has been negotiated (see nextNegotiatedProtocol()). |
96 | |
97 | \value NextProtocolNegotiationUnsupported The client and |
98 | server could not agree on a common next application protocol. |
99 | */ |
100 | |
101 | /*! |
102 | \variable QSslConfiguration::NextProtocolHttp1_1 |
103 | \brief The value used for negotiating HTTP 1.1 during the Next |
104 | Protocol Negotiation. |
105 | */ |
106 | |
107 | /*! |
108 | \variable QSslConfiguration::ALPNProtocolHTTP2 |
109 | \brief The value used for negotiating HTTP 2 during the Application-Layer |
110 | Protocol Negotiation. |
111 | */ |
112 | |
113 | /*! |
114 | Constructs an empty SSL configuration. This configuration contains |
115 | no valid settings and the state will be empty. isNull() will |
116 | return true after this constructor is called. |
117 | |
118 | Once any setter methods are called, isNull() will return false. |
119 | */ |
120 | QSslConfiguration::QSslConfiguration() |
121 | : d(new QSslConfigurationPrivate) |
122 | { |
123 | } |
124 | |
125 | /*! |
126 | Copies the configuration and state of \a other. If \a other is |
127 | null, this object will be null too. |
128 | */ |
129 | QSslConfiguration::QSslConfiguration(const QSslConfiguration &other) |
130 | : d(other.d) |
131 | { |
132 | } |
133 | |
134 | /*! |
135 | Releases any resources held by QSslConfiguration. |
136 | */ |
137 | QSslConfiguration::~QSslConfiguration() |
138 | { |
139 | // QSharedDataPointer deletes d for us if necessary |
140 | } |
141 | |
142 | /*! |
143 | Copies the configuration and state of \a other. If \a other is |
144 | null, this object will be null too. |
145 | */ |
146 | QSslConfiguration &QSslConfiguration::operator=(const QSslConfiguration &other) |
147 | { |
148 | d = other.d; |
149 | return *this; |
150 | } |
151 | |
152 | /*! |
153 | \fn void QSslConfiguration::swap(QSslConfiguration &other) |
154 | \since 5.0 |
155 | |
156 | Swaps this SSL configuration instance with \a other. This function |
157 | is very fast and never fails. |
158 | */ |
159 | |
160 | /*! |
161 | Returns \c true if this QSslConfiguration object is equal to \a |
162 | other. |
163 | |
164 | Two QSslConfiguration objects are considered equal if they have |
165 | the exact same settings and state. |
166 | |
167 | \sa operator!=() |
168 | */ |
169 | bool QSslConfiguration::operator==(const QSslConfiguration &other) const |
170 | { |
171 | if (d == other.d) |
172 | return true; |
173 | return d->peerCertificate == other.d->peerCertificate && |
174 | d->peerCertificateChain == other.d->peerCertificateChain && |
175 | d->localCertificateChain == other.d->localCertificateChain && |
176 | d->privateKey == other.d->privateKey && |
177 | d->sessionCipher == other.d->sessionCipher && |
178 | d->sessionProtocol == other.d->sessionProtocol && |
179 | d->preSharedKeyIdentityHint == other.d->preSharedKeyIdentityHint && |
180 | d->ciphers == other.d->ciphers && |
181 | d->ellipticCurves == other.d->ellipticCurves && |
182 | d->ephemeralServerKey == other.d->ephemeralServerKey && |
183 | d->dhParams == other.d->dhParams && |
184 | d->caCertificates == other.d->caCertificates && |
185 | d->protocol == other.d->protocol && |
186 | d->peerVerifyMode == other.d->peerVerifyMode && |
187 | d->peerVerifyDepth == other.d->peerVerifyDepth && |
188 | d->allowRootCertOnDemandLoading == other.d->allowRootCertOnDemandLoading && |
189 | d->backendConfig == other.d->backendConfig && |
190 | d->sslOptions == other.d->sslOptions && |
191 | d->sslSession == other.d->sslSession && |
192 | d->sslSessionTicketLifeTimeHint == other.d->sslSessionTicketLifeTimeHint && |
193 | d->nextAllowedProtocols == other.d->nextAllowedProtocols && |
194 | d->nextNegotiatedProtocol == other.d->nextNegotiatedProtocol && |
195 | d->nextProtocolNegotiationStatus == other.d->nextProtocolNegotiationStatus && |
196 | d->dtlsCookieEnabled == other.d->dtlsCookieEnabled && |
197 | d->ocspStaplingEnabled == other.d->ocspStaplingEnabled && |
198 | d->reportFromCallback == other.d->reportFromCallback && |
199 | d->missingCertIsFatal == other.d->missingCertIsFatal; |
200 | } |
201 | |
202 | /*! |
203 | \fn QSslConfiguration::operator!=(const QSslConfiguration &other) const |
204 | |
205 | Returns \c true if this QSslConfiguration differs from \a other. Two |
206 | QSslConfiguration objects are considered different if any state or |
207 | setting is different. |
208 | |
209 | \sa operator==() |
210 | */ |
211 | |
212 | /*! |
213 | Returns \c true if this is a null QSslConfiguration object. |
214 | |
215 | A QSslConfiguration object is null if it has been |
216 | default-constructed and no setter methods have been called. |
217 | |
218 | \sa setProtocol(), setLocalCertificate(), setPrivateKey(), |
219 | setCiphers(), setCaCertificates() |
220 | */ |
221 | bool QSslConfiguration::isNull() const |
222 | { |
223 | return (d->protocol == QSsl::SecureProtocols && |
224 | d->peerVerifyMode == QSslSocket::AutoVerifyPeer && |
225 | d->peerVerifyDepth == 0 && |
226 | d->allowRootCertOnDemandLoading == true && |
227 | d->caCertificates.size() == 0 && |
228 | d->ciphers.size() == 0 && |
229 | d->ellipticCurves.isEmpty() && |
230 | d->ephemeralServerKey.isNull() && |
231 | d->dhParams == QSslDiffieHellmanParameters::defaultParameters() && |
232 | d->localCertificateChain.isEmpty() && |
233 | d->privateKey.isNull() && |
234 | d->peerCertificate.isNull() && |
235 | d->peerCertificateChain.size() == 0 && |
236 | d->backendConfig.isEmpty() && |
237 | d->sslOptions == QSslConfigurationPrivate::defaultSslOptions && |
238 | d->sslSession.isNull() && |
239 | d->sslSessionTicketLifeTimeHint == -1 && |
240 | d->preSharedKeyIdentityHint.isNull() && |
241 | d->nextAllowedProtocols.isEmpty() && |
242 | d->nextNegotiatedProtocol.isNull() && |
243 | d->nextProtocolNegotiationStatus == QSslConfiguration::NextProtocolNegotiationNone && |
244 | d->ocspStaplingEnabled == false && |
245 | d->reportFromCallback == false && |
246 | d->missingCertIsFatal == false); |
247 | } |
248 | |
249 | /*! |
250 | Returns the protocol setting for this SSL configuration. |
251 | |
252 | \sa setProtocol() |
253 | */ |
254 | QSsl::SslProtocol QSslConfiguration::protocol() const |
255 | { |
256 | return d->protocol; |
257 | } |
258 | |
259 | /*! |
260 | Sets the protocol setting for this configuration to be \a |
261 | protocol. |
262 | |
263 | Setting the protocol once the connection has already been |
264 | established has no effect. |
265 | |
266 | \sa protocol() |
267 | */ |
268 | void QSslConfiguration::setProtocol(QSsl::SslProtocol protocol) |
269 | { |
270 | d->protocol = protocol; |
271 | } |
272 | |
273 | /*! |
274 | Returns the verify mode. This mode decides whether QSslSocket should |
275 | request a certificate from the peer (i.e., the client requests a |
276 | certificate from the server, or a server requesting a certificate from the |
277 | client), and whether it should require that this certificate is valid. |
278 | |
279 | The default mode is AutoVerifyPeer, which tells QSslSocket to use |
280 | VerifyPeer for clients, QueryPeer for servers. |
281 | |
282 | \sa setPeerVerifyMode() |
283 | */ |
284 | QSslSocket::PeerVerifyMode QSslConfiguration::peerVerifyMode() const |
285 | { |
286 | return d->peerVerifyMode; |
287 | } |
288 | |
289 | /*! |
290 | Sets the verify mode to \a mode. This mode decides whether QSslSocket |
291 | should request a certificate from the peer (i.e., the client requests a |
292 | certificate from the server, or a server requesting a certificate from the |
293 | client), and whether it should require that this certificate is valid. |
294 | |
295 | The default mode is AutoVerifyPeer, which tells QSslSocket to use |
296 | VerifyPeer for clients, QueryPeer for servers. |
297 | |
298 | \sa peerVerifyMode() |
299 | */ |
300 | void QSslConfiguration::setPeerVerifyMode(QSslSocket::PeerVerifyMode mode) |
301 | { |
302 | d->peerVerifyMode = mode; |
303 | } |
304 | |
305 | |
306 | /*! |
307 | Returns the maximum number of certificates in the peer's certificate chain |
308 | to be checked during the SSL handshake phase, or 0 (the default) if no |
309 | maximum depth has been set, indicating that the whole certificate chain |
310 | should be checked. |
311 | |
312 | The certificates are checked in issuing order, starting with the peer's |
313 | own certificate, then its issuer's certificate, and so on. |
314 | |
315 | \sa setPeerVerifyDepth(), peerVerifyMode() |
316 | */ |
317 | int QSslConfiguration::peerVerifyDepth() const |
318 | { |
319 | return d->peerVerifyDepth; |
320 | } |
321 | |
322 | /*! |
323 | Sets the maximum number of certificates in the peer's certificate chain to |
324 | be checked during the SSL handshake phase, to \a depth. Setting a depth of |
325 | 0 means that no maximum depth is set, indicating that the whole |
326 | certificate chain should be checked. |
327 | |
328 | The certificates are checked in issuing order, starting with the peer's |
329 | own certificate, then its issuer's certificate, and so on. |
330 | |
331 | \sa peerVerifyDepth(), setPeerVerifyMode() |
332 | */ |
333 | void QSslConfiguration::setPeerVerifyDepth(int depth) |
334 | { |
335 | if (depth < 0) { |
336 | qCWarning(lcSsl, |
337 | "QSslConfiguration::setPeerVerifyDepth: cannot set negative depth of %d", depth); |
338 | return; |
339 | } |
340 | d->peerVerifyDepth = depth; |
341 | } |
342 | |
343 | /*! |
344 | Returns the certificate chain to be presented to the peer during |
345 | the SSL handshake process. |
346 | |
347 | \sa localCertificate() |
348 | \since 5.1 |
349 | */ |
350 | QList<QSslCertificate> QSslConfiguration::localCertificateChain() const |
351 | { |
352 | return d->localCertificateChain; |
353 | } |
354 | |
355 | /*! |
356 | Sets the certificate chain to be presented to the peer during the |
357 | SSL handshake to be \a localChain. |
358 | |
359 | Setting the certificate chain once the connection has been |
360 | established has no effect. |
361 | |
362 | A certificate is the means of identification used in the SSL |
363 | process. The local certificate is used by the remote end to verify |
364 | the local user's identity against its list of Certification |
365 | Authorities. In most cases, such as in HTTP web browsing, only |
366 | servers identify to the clients, so the client does not send a |
367 | certificate. |
368 | |
369 | Unlike QSslConfiguration::setLocalCertificate() this method allows |
370 | you to specify any intermediate certificates required in order to |
371 | validate your certificate. The first item in the list must be the |
372 | leaf certificate. |
373 | |
374 | \sa localCertificateChain() |
375 | \since 5.1 |
376 | */ |
377 | void QSslConfiguration::setLocalCertificateChain(const QList<QSslCertificate> &localChain) |
378 | { |
379 | d->localCertificateChain = localChain; |
380 | } |
381 | |
382 | /*! |
383 | Returns the certificate to be presented to the peer during the SSL |
384 | handshake process. |
385 | |
386 | \sa setLocalCertificate() |
387 | */ |
388 | QSslCertificate QSslConfiguration::localCertificate() const |
389 | { |
390 | if (d->localCertificateChain.isEmpty()) |
391 | return QSslCertificate(); |
392 | return d->localCertificateChain[0]; |
393 | } |
394 | |
395 | /*! |
396 | Sets the certificate to be presented to the peer during SSL |
397 | handshake to be \a certificate. |
398 | |
399 | Setting the certificate once the connection has been established |
400 | has no effect. |
401 | |
402 | A certificate is the means of identification used in the SSL |
403 | process. The local certificate is used by the remote end to verify |
404 | the local user's identity against its list of Certification |
405 | Authorities. In most cases, such as in HTTP web browsing, only |
406 | servers identify to the clients, so the client does not send a |
407 | certificate. |
408 | |
409 | \sa localCertificate() |
410 | */ |
411 | void QSslConfiguration::setLocalCertificate(const QSslCertificate &certificate) |
412 | { |
413 | d->localCertificateChain = QList<QSslCertificate>(); |
414 | d->localCertificateChain += certificate; |
415 | } |
416 | |
417 | /*! |
418 | Returns the peer's digital certificate (i.e., the immediate |
419 | certificate of the host you are connected to), or a null |
420 | certificate, if the peer has not assigned a certificate. |
421 | |
422 | The peer certificate is checked automatically during the |
423 | handshake phase, so this function is normally used to fetch |
424 | the certificate for display or for connection diagnostic |
425 | purposes. It contains information about the peer, including |
426 | its host name, the certificate issuer, and the peer's public |
427 | key. |
428 | |
429 | Because the peer certificate is set during the handshake phase, it |
430 | is safe to access the peer certificate from a slot connected to |
431 | the QSslSocket::sslErrors() signal, QNetworkReply::sslErrors() |
432 | signal, or the QSslSocket::encrypted() signal. |
433 | |
434 | If a null certificate is returned, it can mean the SSL handshake |
435 | failed, or it can mean the host you are connected to doesn't have |
436 | a certificate, or it can mean there is no connection. |
437 | |
438 | If you want to check the peer's complete chain of certificates, |
439 | use peerCertificateChain() to get them all at once. |
440 | |
441 | \sa peerCertificateChain(), |
442 | QSslSocket::sslErrors(), QSslSocket::ignoreSslErrors(), |
443 | QNetworkReply::sslErrors(), QNetworkReply::ignoreSslErrors() |
444 | */ |
445 | QSslCertificate QSslConfiguration::peerCertificate() const |
446 | { |
447 | return d->peerCertificate; |
448 | } |
449 | |
450 | /*! |
451 | Returns the peer's chain of digital certificates, starting with |
452 | the peer's immediate certificate and ending with the CA's |
453 | certificate. |
454 | |
455 | Peer certificates are checked automatically during the handshake |
456 | phase. This function is normally used to fetch certificates for |
457 | display, or for performing connection diagnostics. Certificates |
458 | contain information about the peer and the certificate issuers, |
459 | including host name, issuer names, and issuer public keys. |
460 | |
461 | Because the peer certificate is set during the handshake phase, it |
462 | is safe to access the peer certificate from a slot connected to |
463 | the QSslSocket::sslErrors() signal, QNetworkReply::sslErrors() |
464 | signal, or the QSslSocket::encrypted() signal. |
465 | |
466 | If an empty list is returned, it can mean the SSL handshake |
467 | failed, or it can mean the host you are connected to doesn't have |
468 | a certificate, or it can mean there is no connection. |
469 | |
470 | If you want to get only the peer's immediate certificate, use |
471 | peerCertificate(). |
472 | |
473 | \sa peerCertificate(), |
474 | QSslSocket::sslErrors(), QSslSocket::ignoreSslErrors(), |
475 | QNetworkReply::sslErrors(), QNetworkReply::ignoreSslErrors() |
476 | */ |
477 | QList<QSslCertificate> QSslConfiguration::peerCertificateChain() const |
478 | { |
479 | return d->peerCertificateChain; |
480 | } |
481 | |
482 | /*! |
483 | Returns the socket's cryptographic \l {QSslCipher} {cipher}, or a |
484 | null cipher if the connection isn't encrypted. The socket's cipher |
485 | for the session is set during the handshake phase. The cipher is |
486 | used to encrypt and decrypt data transmitted through the socket. |
487 | |
488 | The SSL infrastructure also provides functions for setting the |
489 | ordered list of ciphers from which the handshake phase will |
490 | eventually select the session cipher. This ordered list must be in |
491 | place before the handshake phase begins. |
492 | |
493 | \sa ciphers(), setCiphers(), supportedCiphers() |
494 | */ |
495 | QSslCipher QSslConfiguration::sessionCipher() const |
496 | { |
497 | return d->sessionCipher; |
498 | } |
499 | |
500 | /*! |
501 | Returns the socket's SSL/TLS protocol or UnknownProtocol if the |
502 | connection isn't encrypted. The socket's protocol for the session |
503 | is set during the handshake phase. |
504 | |
505 | \sa protocol(), setProtocol() |
506 | \since 5.4 |
507 | */ |
508 | QSsl::SslProtocol QSslConfiguration::sessionProtocol() const |
509 | { |
510 | return d->sessionProtocol; |
511 | } |
512 | |
513 | /*! |
514 | Returns the \l {QSslKey} {SSL key} assigned to this connection or |
515 | a null key if none has been assigned yet. |
516 | |
517 | \sa setPrivateKey(), localCertificate() |
518 | */ |
519 | QSslKey QSslConfiguration::privateKey() const |
520 | { |
521 | return d->privateKey; |
522 | } |
523 | |
524 | /*! |
525 | Sets the connection's private \l {QSslKey} {key} to \a key. The |
526 | private key and the local \l {QSslCertificate} {certificate} are |
527 | used by clients and servers that must prove their identity to |
528 | SSL peers. |
529 | |
530 | Both the key and the local certificate are required if you are |
531 | creating an SSL server socket. If you are creating an SSL client |
532 | socket, the key and local certificate are required if your client |
533 | must identify itself to an SSL server. |
534 | |
535 | \sa privateKey(), setLocalCertificate() |
536 | */ |
537 | void QSslConfiguration::setPrivateKey(const QSslKey &key) |
538 | { |
539 | d->privateKey = key; |
540 | } |
541 | |
542 | /*! |
543 | Returns this connection's current cryptographic cipher suite. This |
544 | list is used during the handshake phase for choosing a |
545 | session cipher. The returned list of ciphers is ordered by |
546 | descending preference. (i.e., the first cipher in the list is the |
547 | most preferred cipher). The session cipher will be the first one |
548 | in the list that is also supported by the peer. |
549 | |
550 | By default, the handshake phase can choose any of the ciphers |
551 | supported by this system's SSL libraries, which may vary from |
552 | system to system. The list of ciphers supported by this system's |
553 | SSL libraries is returned by supportedCiphers(). You can restrict |
554 | the list of ciphers used for choosing the session cipher for this |
555 | socket by calling setCiphers() with a subset of the supported |
556 | ciphers. You can revert to using the entire set by calling |
557 | setCiphers() with the list returned by supportedCiphers(). |
558 | |
559 | \sa setCiphers(), supportedCiphers() |
560 | */ |
561 | QList<QSslCipher> QSslConfiguration::ciphers() const |
562 | { |
563 | return d->ciphers; |
564 | } |
565 | |
566 | /*! |
567 | Sets the cryptographic cipher suite for this socket to \a ciphers, |
568 | which must contain a subset of the ciphers in the list returned by |
569 | supportedCiphers(). |
570 | |
571 | Restricting the cipher suite must be done before the handshake |
572 | phase, where the session cipher is chosen. |
573 | |
574 | \sa ciphers(), supportedCiphers() |
575 | */ |
576 | void QSslConfiguration::setCiphers(const QList<QSslCipher> &ciphers) |
577 | { |
578 | d->ciphers = ciphers; |
579 | } |
580 | |
581 | /*! |
582 | \since 6.0 |
583 | |
584 | Sets the cryptographic cipher suite for this configuration to \a ciphers, |
585 | which is a colon-separated list of cipher suite names. The ciphers are listed |
586 | in order of preference, starting with the most preferred cipher. |
587 | Each cipher name in \a ciphers must be the name of a cipher in the |
588 | list returned by supportedCiphers(). Restricting the cipher suite |
589 | must be done before the handshake phase, where the session cipher |
590 | is chosen. |
591 | |
592 | \note With the Schannel backend the order of the ciphers is ignored and Schannel |
593 | picks the most secure one during the handshake. |
594 | |
595 | \sa ciphers() |
596 | */ |
597 | void QSslConfiguration::setCiphers(const QString &ciphers) |
598 | { |
599 | auto *p = d.data(); |
600 | p->ciphers.clear(); |
601 | const auto cipherNames = ciphers.split(sep: u':', behavior: Qt::SkipEmptyParts); |
602 | for (const QString &cipherName : cipherNames) { |
603 | QSslCipher cipher(cipherName); |
604 | if (!cipher.isNull()) |
605 | p->ciphers << cipher; |
606 | } |
607 | } |
608 | |
609 | /*! |
610 | \since 5.5 |
611 | |
612 | Returns the list of cryptographic ciphers supported by this |
613 | system. This list is set by the system's SSL libraries and may |
614 | vary from system to system. |
615 | |
616 | \sa ciphers(), setCiphers() |
617 | */ |
618 | QList<QSslCipher> QSslConfiguration::supportedCiphers() |
619 | { |
620 | return QSslSocketPrivate::supportedCiphers(); |
621 | } |
622 | |
623 | /*! |
624 | Returns this connection's CA certificate database. The CA certificate |
625 | database is used by the socket during the handshake phase to |
626 | validate the peer's certificate. It can be modified prior to the |
627 | handshake with setCaCertificates(), or with addCaCertificate() and |
628 | addCaCertificates(). |
629 | |
630 | \sa setCaCertificates(), addCaCertificate(), addCaCertificates() |
631 | */ |
632 | QList<QSslCertificate> QSslConfiguration::caCertificates() const |
633 | { |
634 | return d->caCertificates; |
635 | } |
636 | |
637 | /*! |
638 | Sets this socket's CA certificate database to be \a certificates. |
639 | The certificate database must be set prior to the SSL handshake. |
640 | The CA certificate database is used by the socket during the |
641 | handshake phase to validate the peer's certificate. |
642 | |
643 | \note The default configuration uses the system CA certificate database. If |
644 | that is not available (as is commonly the case on iOS), the default database |
645 | is empty. |
646 | |
647 | \sa caCertificates(), addCaCertificates(), addCaCertificate() |
648 | */ |
649 | void QSslConfiguration::setCaCertificates(const QList<QSslCertificate> &certificates) |
650 | { |
651 | d->caCertificates = certificates; |
652 | d->allowRootCertOnDemandLoading = false; |
653 | } |
654 | |
655 | /*! |
656 | \since 5.15 |
657 | |
658 | Searches all files in the \a path for certificates encoded in the |
659 | specified \a format and adds them to this socket's CA certificate |
660 | database. \a path must be a file or a pattern matching one or more |
661 | files, as specified by \a syntax. Returns \c true if one or more |
662 | certificates are added to the socket's CA certificate database; |
663 | otherwise returns \c false. |
664 | |
665 | The CA certificate database is used by the socket during the |
666 | handshake phase to validate the peer's certificate. |
667 | |
668 | For more precise control, use addCaCertificate(). |
669 | |
670 | \sa addCaCertificate(), QSslCertificate::fromPath() |
671 | */ |
672 | bool QSslConfiguration::addCaCertificates(const QString &path, QSsl::EncodingFormat format, |
673 | QSslCertificate::PatternSyntax syntax) |
674 | { |
675 | QList<QSslCertificate> certs = QSslCertificate::fromPath(path, format, syntax); |
676 | if (certs.isEmpty()) |
677 | return false; |
678 | |
679 | d->caCertificates += certs; |
680 | return true; |
681 | } |
682 | |
683 | /*! |
684 | \since 5.15 |
685 | |
686 | Adds \a certificate to this configuration's CA certificate database. |
687 | The certificate database must be set prior to the SSL handshake. |
688 | The CA certificate database is used by the socket during the |
689 | handshake phase to validate the peer's certificate. |
690 | |
691 | \note The default configuration uses the system CA certificate database. If |
692 | that is not available (as is commonly the case on iOS), the default database |
693 | is empty. |
694 | |
695 | \sa caCertificates(), setCaCertificates(), addCaCertificates() |
696 | */ |
697 | void QSslConfiguration::addCaCertificate(const QSslCertificate &certificate) |
698 | { |
699 | d->caCertificates += certificate; |
700 | d->allowRootCertOnDemandLoading = false; |
701 | } |
702 | |
703 | /*! |
704 | \since 5.15 |
705 | |
706 | Adds \a certificates to this configuration's CA certificate database. |
707 | The certificate database must be set prior to the SSL handshake. |
708 | The CA certificate database is used by the socket during the |
709 | handshake phase to validate the peer's certificate. |
710 | |
711 | \note The default configuration uses the system CA certificate database. If |
712 | that is not available (as is commonly the case on iOS), the default database |
713 | is empty. |
714 | |
715 | \sa caCertificates(), setCaCertificates(), addCaCertificate() |
716 | */ |
717 | void QSslConfiguration::addCaCertificates(const QList<QSslCertificate> &certificates) |
718 | { |
719 | d->caCertificates += certificates; |
720 | d->allowRootCertOnDemandLoading = false; |
721 | } |
722 | |
723 | /*! |
724 | \since 5.5 |
725 | |
726 | This function provides the CA certificate database |
727 | provided by the operating system. The CA certificate database |
728 | returned by this function is used to initialize the database |
729 | returned by caCertificates() on the default QSslConfiguration. |
730 | |
731 | \sa caCertificates(), setCaCertificates(), defaultConfiguration(), |
732 | addCaCertificate(), addCaCertificates() |
733 | */ |
734 | QList<QSslCertificate> QSslConfiguration::systemCaCertificates() |
735 | { |
736 | // we are calling ensureInitialized() in the method below |
737 | return QSslSocketPrivate::systemCaCertificates(); |
738 | } |
739 | |
740 | /*! |
741 | Enables or disables an SSL compatibility \a option. If \a on |
742 | is true, the \a option is enabled. If \a on is false, the |
743 | \a option is disabled. |
744 | |
745 | \sa testSslOption() |
746 | */ |
747 | void QSslConfiguration::setSslOption(QSsl::SslOption option, bool on) |
748 | { |
749 | d->sslOptions.setFlag(flag: option, on); |
750 | } |
751 | |
752 | /*! |
753 | \since 4.8 |
754 | |
755 | Returns \c true if the specified SSL compatibility \a option is enabled. |
756 | |
757 | \sa setSslOption() |
758 | */ |
759 | bool QSslConfiguration::testSslOption(QSsl::SslOption option) const |
760 | { |
761 | return d->sslOptions & option; |
762 | } |
763 | |
764 | /*! |
765 | \since 5.2 |
766 | |
767 | If QSsl::SslOptionDisableSessionPersistence was turned off, this |
768 | function returns the session ticket used in the SSL handshake in ASN.1 |
769 | format, suitable to e.g. be persisted to disk. If no session ticket was |
770 | used or QSsl::SslOptionDisableSessionPersistence was not turned off, |
771 | this function returns an empty QByteArray. |
772 | |
773 | \note When persisting the session ticket to disk or similar, be |
774 | careful not to expose the session to a potential attacker, as |
775 | knowledge of the session allows for eavesdropping on data |
776 | encrypted with the session parameters. |
777 | |
778 | \sa setSessionTicket(), QSsl::SslOptionDisableSessionPersistence, setSslOption(), QSslSocket::newSessionTicketReceived() |
779 | */ |
780 | QByteArray QSslConfiguration::sessionTicket() const |
781 | { |
782 | return d->sslSession; |
783 | } |
784 | |
785 | /*! |
786 | \since 5.2 |
787 | |
788 | Sets the session ticket to be used in an SSL handshake. |
789 | QSsl::SslOptionDisableSessionPersistence must be turned off |
790 | for this to work, and \a sessionTicket must be in ASN.1 format |
791 | as returned by sessionTicket(). |
792 | |
793 | \sa sessionTicket(), QSsl::SslOptionDisableSessionPersistence, setSslOption(), QSslSocket::newSessionTicketReceived() |
794 | */ |
795 | void QSslConfiguration::setSessionTicket(const QByteArray &sessionTicket) |
796 | { |
797 | d->sslSession = sessionTicket; |
798 | } |
799 | |
800 | /*! |
801 | \since 5.2 |
802 | |
803 | If QSsl::SslOptionDisableSessionPersistence was turned off, this |
804 | function returns the session ticket life time hint sent by the |
805 | server (which might be 0). |
806 | If the server did not send a session ticket (e.g. when |
807 | resuming a session or when the server does not support it) or |
808 | QSsl::SslOptionDisableSessionPersistence was not turned off, |
809 | this function returns -1. |
810 | |
811 | \sa sessionTicket(), QSsl::SslOptionDisableSessionPersistence, setSslOption(), QSslSocket::newSessionTicketReceived() |
812 | */ |
813 | int QSslConfiguration::sessionTicketLifeTimeHint() const |
814 | { |
815 | return d->sslSessionTicketLifeTimeHint; |
816 | } |
817 | |
818 | /*! |
819 | \since 5.7 |
820 | |
821 | Returns the ephemeral server key used for cipher algorithms |
822 | with forward secrecy, e.g. DHE-RSA-AES128-SHA. |
823 | |
824 | The ephemeral key is only available when running in client mode, i.e. |
825 | QSslSocket::SslClientMode. When running in server mode or using a |
826 | cipher algorithm without forward secrecy a null key is returned. |
827 | The ephemeral server key will be set before emitting the encrypted() |
828 | signal. |
829 | */ |
830 | QSslKey QSslConfiguration::ephemeralServerKey() const |
831 | { |
832 | return d->ephemeralServerKey; |
833 | } |
834 | |
835 | /*! |
836 | \since 5.5 |
837 | |
838 | Returns this connection's current list of elliptic curves. This |
839 | list is used during the handshake phase for choosing an |
840 | elliptic curve (when using an elliptic curve cipher). |
841 | The returned list of curves is ordered by descending preference |
842 | (i.e., the first curve in the list is the most preferred one). |
843 | |
844 | By default, the handshake phase can choose any of the curves |
845 | supported by this system's SSL libraries, which may vary from |
846 | system to system. The list of curves supported by this system's |
847 | SSL libraries is returned by QSslSocket::supportedEllipticCurves(). |
848 | |
849 | You can restrict the list of curves used for choosing the session cipher |
850 | for this socket by calling setEllipticCurves() with a subset of the |
851 | supported ciphers. You can revert to using the entire set by calling |
852 | setEllipticCurves() with the list returned by |
853 | QSslSocket::supportedEllipticCurves(). |
854 | |
855 | \sa setEllipticCurves |
856 | */ |
857 | QList<QSslEllipticCurve> QSslConfiguration::ellipticCurves() const |
858 | { |
859 | return d->ellipticCurves; |
860 | } |
861 | |
862 | /*! |
863 | \since 5.5 |
864 | |
865 | Sets the list of elliptic curves to be used by this socket to \a curves, |
866 | which must contain a subset of the curves in the list returned by |
867 | supportedEllipticCurves(). |
868 | |
869 | Restricting the elliptic curves must be done before the handshake |
870 | phase, where the session cipher is chosen. |
871 | |
872 | \sa ellipticCurves |
873 | */ |
874 | void QSslConfiguration::setEllipticCurves(const QList<QSslEllipticCurve> &curves) |
875 | { |
876 | d->ellipticCurves = curves; |
877 | } |
878 | |
879 | /*! |
880 | \since 5.5 |
881 | |
882 | Returns the list of elliptic curves supported by this |
883 | system. This list is set by the system's SSL libraries and may |
884 | vary from system to system. |
885 | |
886 | \sa ellipticCurves(), setEllipticCurves() |
887 | */ |
888 | QList<QSslEllipticCurve> QSslConfiguration::supportedEllipticCurves() |
889 | { |
890 | return QSslSocketPrivate::supportedEllipticCurves(); |
891 | } |
892 | |
893 | /*! |
894 | \since 5.8 |
895 | |
896 | Returns the identity hint. |
897 | |
898 | \sa setPreSharedKeyIdentityHint() |
899 | */ |
900 | QByteArray QSslConfiguration::preSharedKeyIdentityHint() const |
901 | { |
902 | return d->preSharedKeyIdentityHint; |
903 | } |
904 | |
905 | /*! |
906 | \since 5.8 |
907 | |
908 | Sets the identity hint for a preshared key authentication to \a hint. This will |
909 | affect the next initiated handshake; calling this function on an already-encrypted |
910 | socket will not affect the socket's identity hint. |
911 | |
912 | The identity hint is used in QSslSocket::SslServerMode only! |
913 | */ |
914 | void QSslConfiguration::setPreSharedKeyIdentityHint(const QByteArray &hint) |
915 | { |
916 | d->preSharedKeyIdentityHint = hint; |
917 | } |
918 | |
919 | /*! |
920 | \since 5.8 |
921 | |
922 | Retrieves the current set of Diffie-Hellman parameters. |
923 | |
924 | If no Diffie-Hellman parameters have been set, the QSslConfiguration object |
925 | defaults to using the 2048-bit MODP group from RFC 3526. |
926 | |
927 | \note The default parameters may change in future Qt versions. |
928 | Please check the documentation of the \e{exact Qt version} that you |
929 | are using in order to know what defaults that version uses. |
930 | */ |
931 | QSslDiffieHellmanParameters QSslConfiguration::diffieHellmanParameters() const |
932 | { |
933 | return d->dhParams; |
934 | } |
935 | |
936 | /*! |
937 | \since 5.8 |
938 | |
939 | Sets a custom set of Diffie-Hellman parameters to be used by this socket when functioning as |
940 | a server to \a dhparams. |
941 | |
942 | If no Diffie-Hellman parameters have been set, the QSslConfiguration object |
943 | defaults to using the 2048-bit MODP group from RFC 3526. |
944 | |
945 | Since 6.7 you can provide an empty Diffie-Hellman parameter to use auto selection |
946 | (see SSL_CTX_set_dh_auto of openssl) if the tls backend supports it. |
947 | |
948 | \note The default parameters may change in future Qt versions. |
949 | Please check the documentation of the \e{exact Qt version} that you |
950 | are using in order to know what defaults that version uses. |
951 | */ |
952 | void QSslConfiguration::setDiffieHellmanParameters(const QSslDiffieHellmanParameters &dhparams) |
953 | { |
954 | d->dhParams = dhparams; |
955 | } |
956 | |
957 | /*! |
958 | \since 5.11 |
959 | |
960 | Returns the backend-specific configuration. |
961 | |
962 | Only options set by setBackendConfigurationOption() or setBackendConfiguration() will be |
963 | returned. The internal standard configuration of the backend is not reported. |
964 | |
965 | \sa setBackendConfigurationOption(), setBackendConfiguration() |
966 | */ |
967 | QMap<QByteArray, QVariant> QSslConfiguration::backendConfiguration() const |
968 | { |
969 | return d->backendConfig; |
970 | } |
971 | |
972 | /*! |
973 | \since 5.11 |
974 | |
975 | Sets the option \a name in the backend-specific configuration to \a value. |
976 | |
977 | Options supported by the OpenSSL (>= 1.0.2) backend are available in the \l |
978 | {https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS} |
979 | {supported configuration file commands} documentation. The expected type for |
980 | the \a value parameter is a QByteArray for all options. The \l |
981 | {https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#EXAMPLES}{examples} |
982 | show how to use some of the options. |
983 | |
984 | \note The backend-specific configuration will be applied after the general |
985 | configuration. Using the backend-specific configuration to set a general |
986 | configuration option again will overwrite the general configuration option. |
987 | |
988 | \sa backendConfiguration(), setBackendConfiguration() |
989 | */ |
990 | void QSslConfiguration::setBackendConfigurationOption(const QByteArray &name, const QVariant &value) |
991 | { |
992 | d->backendConfig[name] = value; |
993 | } |
994 | |
995 | /*! |
996 | \since 5.11 |
997 | |
998 | Sets or clears the backend-specific configuration. |
999 | |
1000 | Without a \a backendConfiguration parameter this function will clear the |
1001 | backend-specific configuration. More information about the supported |
1002 | options is available in the documentation of setBackendConfigurationOption(). |
1003 | |
1004 | \sa backendConfiguration(), setBackendConfigurationOption() |
1005 | */ |
1006 | void QSslConfiguration::setBackendConfiguration(const QMap<QByteArray, QVariant> &backendConfiguration) |
1007 | { |
1008 | d->backendConfig = backendConfiguration; |
1009 | } |
1010 | |
1011 | /*! |
1012 | \since 5.3 |
1013 | |
1014 | This function returns the protocol negotiated with the server |
1015 | if the Next Protocol Negotiation (NPN) or Application-Layer Protocol |
1016 | Negotiation (ALPN) TLS extension was enabled. |
1017 | In order for the NPN/ALPN extension to be enabled, setAllowedNextProtocols() |
1018 | needs to be called explicitly before connecting to the server. |
1019 | |
1020 | If no protocol could be negotiated or the extension was not enabled, |
1021 | this function returns a QByteArray which is null. |
1022 | |
1023 | \sa setAllowedNextProtocols(), nextProtocolNegotiationStatus() |
1024 | */ |
1025 | QByteArray QSslConfiguration::nextNegotiatedProtocol() const |
1026 | { |
1027 | return d->nextNegotiatedProtocol; |
1028 | } |
1029 | |
1030 | /*! |
1031 | \since 5.3 |
1032 | |
1033 | This function sets the allowed \a protocols to be negotiated with the |
1034 | server through the Next Protocol Negotiation (NPN) or Application-Layer |
1035 | Protocol Negotiation (ALPN) TLS extension; each |
1036 | element in \a protocols must define one allowed protocol. |
1037 | The function must be called explicitly before connecting to send the NPN/ALPN |
1038 | extension in the SSL handshake. |
1039 | Whether or not the negotiation succeeded can be queried through |
1040 | nextProtocolNegotiationStatus(). |
1041 | |
1042 | \sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), allowedNextProtocols(), QSslConfiguration::NextProtocolHttp1_1 |
1043 | */ |
1044 | void QSslConfiguration::setAllowedNextProtocols(const QList<QByteArray> &protocols) |
1045 | { |
1046 | d->nextAllowedProtocols = protocols; |
1047 | } |
1048 | |
1049 | /*! |
1050 | \since 5.3 |
1051 | |
1052 | This function returns the allowed protocols to be negotiated with the |
1053 | server through the Next Protocol Negotiation (NPN) or Application-Layer |
1054 | Protocol Negotiation (ALPN) TLS extension, as set by setAllowedNextProtocols(). |
1055 | |
1056 | \sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), setAllowedNextProtocols(), QSslConfiguration::NextProtocolHttp1_1 |
1057 | */ |
1058 | QList<QByteArray> QSslConfiguration::allowedNextProtocols() const |
1059 | { |
1060 | return d->nextAllowedProtocols; |
1061 | } |
1062 | |
1063 | /*! |
1064 | \since 5.3 |
1065 | |
1066 | This function returns the status of the Next Protocol Negotiation (NPN) |
1067 | or Application-Layer Protocol Negotiation (ALPN). |
1068 | If the feature has not been enabled through setAllowedNextProtocols(), |
1069 | this function returns NextProtocolNegotiationNone. |
1070 | The status will be set before emitting the encrypted() signal. |
1071 | |
1072 | \sa setAllowedNextProtocols(), allowedNextProtocols(), nextNegotiatedProtocol(), QSslConfiguration::NextProtocolNegotiationStatus |
1073 | */ |
1074 | QSslConfiguration::NextProtocolNegotiationStatus QSslConfiguration::nextProtocolNegotiationStatus() const |
1075 | { |
1076 | return d->nextProtocolNegotiationStatus; |
1077 | } |
1078 | |
1079 | /*! |
1080 | Returns the default SSL configuration to be used in new SSL |
1081 | connections. |
1082 | |
1083 | The default SSL configuration consists of: |
1084 | |
1085 | \list |
1086 | \li no local certificate and no private key |
1087 | \li protocol \l{QSsl::SecureProtocols}{SecureProtocols} |
1088 | \li the system's default CA certificate list |
1089 | \li the cipher list equal to the list of the SSL libraries' |
1090 | supported SSL ciphers that are 128 bits or more |
1091 | \endlist |
1092 | |
1093 | \sa supportedCiphers(), setDefaultConfiguration() |
1094 | */ |
1095 | QSslConfiguration QSslConfiguration::defaultConfiguration() |
1096 | { |
1097 | return QSslConfigurationPrivate::defaultConfiguration(); |
1098 | } |
1099 | |
1100 | /*! |
1101 | Sets the default SSL configuration to be used in new SSL |
1102 | connections to be \a configuration. Existing connections are not |
1103 | affected by this call. |
1104 | |
1105 | \sa supportedCiphers(), defaultConfiguration() |
1106 | */ |
1107 | void QSslConfiguration::setDefaultConfiguration(const QSslConfiguration &configuration) |
1108 | { |
1109 | QSslConfigurationPrivate::setDefaultConfiguration(configuration); |
1110 | } |
1111 | |
1112 | #if QT_CONFIG(dtls) || defined(Q_QDOC) |
1113 | |
1114 | /*! |
1115 | This function returns true if DTLS cookie verification was enabled on a |
1116 | server-side socket. |
1117 | |
1118 | \sa setDtlsCookieVerificationEnabled() |
1119 | */ |
1120 | bool QSslConfiguration::dtlsCookieVerificationEnabled() const |
1121 | { |
1122 | return d->dtlsCookieEnabled; |
1123 | } |
1124 | |
1125 | /*! |
1126 | This function enables DTLS cookie verification when \a enable is true. |
1127 | |
1128 | \sa dtlsCookieVerificationEnabled() |
1129 | */ |
1130 | void QSslConfiguration::setDtlsCookieVerificationEnabled(bool enable) |
1131 | { |
1132 | d->dtlsCookieEnabled = enable; |
1133 | } |
1134 | |
1135 | /*! |
1136 | Returns the default DTLS configuration to be used in new DTLS |
1137 | connections. |
1138 | |
1139 | The default DTLS configuration consists of: |
1140 | |
1141 | \list |
1142 | \li no local certificate and no private key |
1143 | \li protocol DtlsV1_2OrLater |
1144 | \li the system's default CA certificate list |
1145 | \li the cipher list equal to the list of the SSL libraries' |
1146 | supported TLS 1.2 ciphers that use 128 or more secret bits |
1147 | for the cipher. |
1148 | \endlist |
1149 | |
1150 | \sa setDefaultDtlsConfiguration() |
1151 | */ |
1152 | QSslConfiguration QSslConfiguration::defaultDtlsConfiguration() |
1153 | { |
1154 | return QSslConfigurationPrivate::defaultDtlsConfiguration(); |
1155 | } |
1156 | |
1157 | /*! |
1158 | Sets the default DTLS configuration to be used in new DTLS |
1159 | connections to be \a configuration. Existing connections are not |
1160 | affected by this call. |
1161 | |
1162 | \sa defaultDtlsConfiguration() |
1163 | */ |
1164 | void QSslConfiguration::setDefaultDtlsConfiguration(const QSslConfiguration &configuration) |
1165 | { |
1166 | QSslConfigurationPrivate::setDefaultDtlsConfiguration(configuration); |
1167 | } |
1168 | |
1169 | #endif // dtls |
1170 | |
1171 | /*! |
1172 | \since 5.13 |
1173 | If \a enabled is true, client QSslSocket will send a certificate status request |
1174 | to its peer when initiating a handshake. During the handshake QSslSocket will |
1175 | verify the server's response. This value must be set before the handshake |
1176 | starts. |
1177 | |
1178 | \sa ocspStaplingEnabled() |
1179 | */ |
1180 | void QSslConfiguration::setOcspStaplingEnabled(bool enabled) |
1181 | { |
1182 | #if QT_CONFIG(ocsp) |
1183 | d->ocspStaplingEnabled = enabled; |
1184 | #else |
1185 | if (enabled) |
1186 | qCWarning(lcSsl, "Enabling OCSP-stapling requires the feature 'ocsp'"); |
1187 | #endif // ocsp |
1188 | } |
1189 | |
1190 | /*! |
1191 | \since 5.13 |
1192 | Returns true if OCSP stapling was enabled by setOCSPStaplingEnabled(), |
1193 | otherwise false (which is the default value). |
1194 | |
1195 | \sa setOcspStaplingEnabled() |
1196 | */ |
1197 | bool QSslConfiguration::ocspStaplingEnabled() const |
1198 | { |
1199 | return d->ocspStaplingEnabled; |
1200 | } |
1201 | |
1202 | /*! |
1203 | \since 6.0 |
1204 | |
1205 | Returns true if a verification callback will emit QSslSocket::handshakeInterruptedOnError() |
1206 | early, before concluding the handshake. |
1207 | |
1208 | \note This function always returns false for all backends but OpenSSL. |
1209 | |
1210 | \sa setHandshakeMustInterruptOnError(), QSslSocket::handshakeInterruptedOnError(), QSslSocket::continueInterruptedHandshake() |
1211 | */ |
1212 | bool QSslConfiguration::handshakeMustInterruptOnError() const |
1213 | { |
1214 | return d->reportFromCallback; |
1215 | } |
1216 | |
1217 | /*! |
1218 | \since 6.0 |
1219 | |
1220 | If \a interrupt is true and the underlying backend supports this option, |
1221 | errors found during certificate verification are reported immediately |
1222 | by emitting QSslSocket::handshakeInterruptedOnError(). This allows |
1223 | to stop the unfinished handshake and send a proper alert message to |
1224 | a peer. No special action is required from the application in this case. |
1225 | QSslSocket will close the connection after sending the alert message. |
1226 | If the application after inspecting the error wants to continue the |
1227 | handshake, it must call QSslSocket::continueInterruptedHandshake() |
1228 | from its slot function. The signal-slot connection must be direct. |
1229 | |
1230 | \note When interrupting handshake is enabled, errors that would otherwise |
1231 | be reported by QSslSocket::peerVerifyError() are instead only reported by |
1232 | QSslSocket::handshakeInterruptedOnError(). |
1233 | \note Even if the handshake was continued, these errors will be |
1234 | reported when emitting QSslSocket::sslErrors() signal (and thus must |
1235 | be ignored in the corresponding function slot). |
1236 | |
1237 | \sa handshakeMustInterruptOnError(), QSslSocket::handshakeInterruptedOnError(), QSslSocket::continueInterruptedHandshake() |
1238 | */ |
1239 | void QSslConfiguration::setHandshakeMustInterruptOnError(bool interrupt) |
1240 | { |
1241 | #if QT_CONFIG(openssl) |
1242 | d->reportFromCallback = interrupt; |
1243 | #else |
1244 | Q_UNUSED(interrupt); |
1245 | qCWarning(lcSsl, "This operation requires OpenSSL as TLS backend"); |
1246 | #endif |
1247 | } |
1248 | |
1249 | /*! |
1250 | \since 6.0 |
1251 | |
1252 | Returns true if errors with code QSslError::NoPeerCertificate |
1253 | cannot be ignored. |
1254 | |
1255 | \note Always returns false for all TLS backends but OpenSSL. |
1256 | |
1257 | \sa QSslSocket::ignoreSslErrors(), setMissingCertificateIsFatal() |
1258 | */ |
1259 | bool QSslConfiguration::missingCertificateIsFatal() const |
1260 | { |
1261 | return d->missingCertIsFatal; |
1262 | } |
1263 | |
1264 | /*! |
1265 | \since 6.0 |
1266 | |
1267 | If \a cannotRecover is true, and verification mode in use is |
1268 | QSslSocket::VerifyPeer or QSslSocket::AutoVerifyPeer (for a |
1269 | client-side socket), the missing peer's certificate would be |
1270 | treated as an unrecoverable error that cannot be ignored. A proper |
1271 | alert message will be sent to the peer before closing the connection. |
1272 | |
1273 | \note Only available if Qt was configured and built with OpenSSL backend. |
1274 | |
1275 | \sa QSslSocket::ignoreSslErrors(), QSslSocket::PeerVerifyMode, missingCertificateIsFatal() |
1276 | */ |
1277 | void QSslConfiguration::setMissingCertificateIsFatal(bool cannotRecover) |
1278 | { |
1279 | #if QT_CONFIG(openssl) |
1280 | d->missingCertIsFatal = cannotRecover; |
1281 | #else |
1282 | Q_UNUSED(cannotRecover); |
1283 | qCWarning(lcSsl, "Handling a missing certificate as a fatal error requires an OpenSSL backend"); |
1284 | #endif // openssl |
1285 | } |
1286 | |
1287 | /*! \internal |
1288 | */ |
1289 | bool QSslConfigurationPrivate::peerSessionWasShared(const QSslConfiguration &configuration) { |
1290 | return configuration.d->peerSessionShared; |
1291 | } |
1292 | |
1293 | QT_END_NAMESPACE |
1294 |
Definitions
- defaultSslOptions
- ALPNProtocolHTTP2
- NextProtocolHttp1_1
- QSslConfiguration
- QSslConfiguration
- ~QSslConfiguration
- operator=
- operator==
- isNull
- protocol
- setProtocol
- peerVerifyMode
- setPeerVerifyMode
- peerVerifyDepth
- setPeerVerifyDepth
- localCertificateChain
- setLocalCertificateChain
- localCertificate
- setLocalCertificate
- peerCertificate
- peerCertificateChain
- sessionCipher
- sessionProtocol
- privateKey
- setPrivateKey
- ciphers
- setCiphers
- setCiphers
- supportedCiphers
- caCertificates
- setCaCertificates
- addCaCertificates
- addCaCertificate
- addCaCertificates
- systemCaCertificates
- setSslOption
- testSslOption
- sessionTicket
- setSessionTicket
- sessionTicketLifeTimeHint
- ephemeralServerKey
- ellipticCurves
- setEllipticCurves
- supportedEllipticCurves
- preSharedKeyIdentityHint
- setPreSharedKeyIdentityHint
- diffieHellmanParameters
- setDiffieHellmanParameters
- backendConfiguration
- setBackendConfigurationOption
- setBackendConfiguration
- nextNegotiatedProtocol
- setAllowedNextProtocols
- allowedNextProtocols
- nextProtocolNegotiationStatus
- defaultConfiguration
- setDefaultConfiguration
- dtlsCookieVerificationEnabled
- setDtlsCookieVerificationEnabled
- defaultDtlsConfiguration
- setDefaultDtlsConfiguration
- setOcspStaplingEnabled
- ocspStaplingEnabled
- handshakeMustInterruptOnError
- setHandshakeMustInterruptOnError
- missingCertificateIsFatal
- setMissingCertificateIsFatal
Learn Advanced QML with KDAB
Find out more