qsslconfiguration.cpp source code [qtbase/src/network/ssl/qsslconfiguration.cpp]

1	// Copyright (C) 2016 The Qt Company Ltd.
2	// Copyright (C) 2014 BlackBerry Limited. All rights reserved.
3	// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
4
5	#include "qssl_p.h"
6	#include "qsslconfiguration.h"
7	#include "qsslconfiguration_p.h"
8	#include "qsslsocket.h"
9	#include "qsslsocket_p.h"
10	#include "qmutex.h"
11	#include "qdebug.h"
12
13	QT_BEGIN_NAMESPACE
14
15	QT_IMPL_METATYPE_EXTERN(QSslConfiguration)
16
17	const QSsl::SslOptions QSslConfigurationPrivate::defaultSslOptions = QSsl::SslOptionDisableEmptyFragments
18	\|QSsl::SslOptionDisableLegacyRenegotiation
19	\|QSsl::SslOptionDisableCompression
20	\|QSsl::SslOptionDisableSessionPersistence;
21
22	const char QSslConfiguration::ALPNProtocolHTTP2[] = "h2";
23	const char QSslConfiguration::NextProtocolHttp1_1[] = "http/1.1";
24
25	/!*
26	\class QSslConfiguration
27	\brief The QSslConfiguration class holds the configuration and state of an SSL connection.
28	\since 4.4
29
30	\reentrant
31	\inmodule QtNetwork
32	\ingroup network
33	\ingroup ssl
34	\ingroup shared
35
36	QSslConfiguration is used by Qt networking classes to relay
37	information about an open SSL connection and to allow the
38	application to control certain features of that connection.
39
40	The settings that QSslConfiguration currently supports are:
41
42	\list
43	\li The SSL/TLS protocol to be used
44	\li The certificate to be presented to the peer during connection
45	and its associated private key
46	\li The ciphers allowed to be used for encrypting the connection
47	\li The list of Certificate Authorities certificates that are
48	used to validate the peer's certificate
49	\endlist
50
51	These settings are applied only during the connection
52	handshake. Setting them after the connection has been established
53	has no effect.
54
55	The state that QSslConfiguration supports are:
56	\list
57	\li The certificate the peer presented during handshake, along
58	with the chain leading to a CA certificate
59	\li The cipher used to encrypt this session
60	\endlist
61
62	The state can only be obtained once the SSL connection starts, but
63	not necessarily before it's done. Some settings may change during
64	the course of the SSL connection without need to restart it (for
65	instance, the cipher can be changed over time).
66
67	State in QSslConfiguration objects cannot be changed.
68
69	QSslConfiguration can be used with QSslSocket and the Network
70	Access API.
71
72	Note that changing settings in QSslConfiguration is not enough to
73	change the settings in the related SSL connection. You must call
74	setSslConfiguration on a modified QSslConfiguration object to
75	achieve that. The following example illustrates how to change the
76	protocol to TLSv1_2 in a QSslSocket object:
77
78	\snippet code/src_network_ssl_qsslconfiguration.cpp 0
79
80	\sa QSsl::SslProtocol, QSslCertificate, QSslCipher, QSslKey,
81	QSslSocket, QNetworkAccessManager,
82	QSslSocket::sslConfiguration(), QSslSocket::setSslConfiguration()
83	*/
84
85	/!*
86	\enum QSslConfiguration::NextProtocolNegotiationStatus
87
88	Describes the status of the Next Protocol Negotiation (NPN) or
89	Application-Layer Protocol Negotiation (ALPN).
90
91	\value NextProtocolNegotiationNone No application protocol
92	has been negotiated (yet).
93
94	\value NextProtocolNegotiationNegotiated A next protocol
95	has been negotiated (see nextNegotiatedProtocol()).
96
97	\value NextProtocolNegotiationUnsupported The client and
98	server could not agree on a common next application protocol.
99	*/
100
101	/!*
102	\variable QSslConfiguration::NextProtocolHttp1_1
103	\brief The value used for negotiating HTTP 1.1 during the Next
104	Protocol Negotiation.
105	*/
106
107	/!*
108	Constructs an empty SSL configuration. This configuration contains
109	no valid settings and the state will be empty. isNull() will
110	return true after this constructor is called.
111
112	Once any setter methods are called, isNull() will return false.
113	*/
114	QSslConfiguration::QSslConfiguration()
115	: d (new QSslConfigurationPrivate)
116	{
117	}
118
119	/!*
120	Copies the configuration and state of \a other. If \a other is
121	null, this object will be null too.
122	*/
123	QSslConfiguration::QSslConfiguration(const QSslConfiguration &other)
124	: d (other.d)
125	{
126	}
127
128	/!*
129	Releases any resources held by QSslConfiguration.
130	*/
131	QSslConfiguration::~QSslConfiguration()
132	{
133	// QSharedDataPointer deletes d for us if necessary
134	}
135
136	/!*
137	Copies the configuration and state of \a other. If \a other is
138	null, this object will be null too.
139	*/
140	QSslConfiguration &QSslConfiguration::operator=(const QSslConfiguration &other)
141	{
142	d = other.d;
143	return *this;
144	}
145
146	/!*
147	\fn void QSslConfiguration::swap(QSslConfiguration &other)
148	\since 5.0
149
150	Swaps this SSL configuration instance with \a other. This function
151	is very fast and never fails.
152	*/
153
154	/!*
155	Returns \c true if this QSslConfiguration object is equal to \a
156	other.
157
158	Two QSslConfiguration objects are considered equal if they have
159	the exact same settings and state.
160
161	\sa operator!=()
162	*/
163	bool QSslConfiguration::operator==(const QSslConfiguration &other) const
164	{
165	if (d == other.d)
166	return true;
167	return d ->peerCertificate == other.d ->peerCertificate &&
168	d ->peerCertificateChain == other.d ->peerCertificateChain &&
169	d ->localCertificateChain == other.d ->localCertificateChain &&
170	d ->privateKey == other.d ->privateKey &&
171	d ->sessionCipher == other.d ->sessionCipher &&
172	d ->sessionProtocol == other.d ->sessionProtocol &&
173	d ->preSharedKeyIdentityHint == other.d ->preSharedKeyIdentityHint &&
174	d ->ciphers == other.d ->ciphers &&
175	d ->ellipticCurves == other.d ->ellipticCurves &&
176	d ->ephemeralServerKey == other.d ->ephemeralServerKey &&
177	d ->dhParams == other.d ->dhParams &&
178	d ->caCertificates == other.d ->caCertificates &&
179	d ->protocol == other.d ->protocol &&
180	d ->peerVerifyMode == other.d ->peerVerifyMode &&
181	d ->peerVerifyDepth == other.d ->peerVerifyDepth &&
182	d ->allowRootCertOnDemandLoading == other.d ->allowRootCertOnDemandLoading &&
183	d ->backendConfig == other.d ->backendConfig &&
184	d ->sslOptions == other.d ->sslOptions &&
185	d ->sslSession == other.d ->sslSession &&
186	d ->sslSessionTicketLifeTimeHint == other.d ->sslSessionTicketLifeTimeHint &&
187	d ->nextAllowedProtocols == other.d ->nextAllowedProtocols &&
188	d ->nextNegotiatedProtocol == other.d ->nextNegotiatedProtocol &&
189	d ->nextProtocolNegotiationStatus == other.d ->nextProtocolNegotiationStatus &&
190	d ->dtlsCookieEnabled == other.d ->dtlsCookieEnabled &&
191	d ->ocspStaplingEnabled == other.d ->ocspStaplingEnabled &&
192	d ->reportFromCallback == other.d ->reportFromCallback &&
193	d ->missingCertIsFatal == other.d ->missingCertIsFatal;
194	}
195
196	/!*
197	\fn QSslConfiguration::operator!=(const QSslConfiguration &other) const
198
199	Returns \c true if this QSslConfiguration differs from \a other. Two
200	QSslConfiguration objects are considered different if any state or
201	setting is different.
202
203	\sa operator==()
204	*/
205
206	/!*
207	Returns \c true if this is a null QSslConfiguration object.
208
209	A QSslConfiguration object is null if it has been
210	default-constructed and no setter methods have been called.
211
212	\sa setProtocol(), setLocalCertificate(), setPrivateKey(),
213	setCiphers(), setCaCertificates()
214	*/
215	bool QSslConfiguration::isNull() const
216	{
217	return (d ->protocol == QSsl::SecureProtocols &&
218	d ->peerVerifyMode == QSslSocket::AutoVerifyPeer &&
219	d ->peerVerifyDepth == `0` &&
220	d ->allowRootCertOnDemandLoading == true &&
221	d ->caCertificates.size() == `0` &&
222	d ->ciphers.size() == `0` &&
223	d ->ellipticCurves.isEmpty() &&
224	d ->ephemeralServerKey.isNull() &&
225	d ->dhParams == QSslDiffieHellmanParameters::defaultParameters() &&
226	d ->localCertificateChain.isEmpty() &&
227	d ->privateKey.isNull() &&
228	d ->peerCertificate.isNull() &&
229	d ->peerCertificateChain.size() == `0` &&
230	d ->backendConfig.isEmpty() &&
231	d ->sslOptions == QSslConfigurationPrivate::defaultSslOptions &&
232	d ->sslSession.isNull() &&
233	d ->sslSessionTicketLifeTimeHint == -`1` &&
234	d ->preSharedKeyIdentityHint.isNull() &&
235	d ->nextAllowedProtocols.isEmpty() &&
236	d ->nextNegotiatedProtocol.isNull() &&
237	d ->nextProtocolNegotiationStatus == QSslConfiguration::NextProtocolNegotiationNone &&
238	d ->ocspStaplingEnabled == false &&
239	d ->reportFromCallback == false &&
240	d ->missingCertIsFatal == false);
241	}
242
243	/!*
244	Returns the protocol setting for this SSL configuration.
245
246	\sa setProtocol()
247	*/
248	QSsl::SslProtocol QSslConfiguration::protocol() const
249	{
250	return d ->protocol;
251	}
252
253	/!*
254	Sets the protocol setting for this configuration to be \a
255	protocol.
256
257	Setting the protocol once the connection has already been
258	established has no effect.
259
260	\sa protocol()
261	*/
262	void QSslConfiguration::setProtocol(QSsl::SslProtocol protocol)
263	{
264	d ->protocol = protocol;
265	}
266
267	/!*
268	Returns the verify mode. This mode decides whether QSslSocket should
269	request a certificate from the peer (i.e., the client requests a
270	certificate from the server, or a server requesting a certificate from the
271	client), and whether it should require that this certificate is valid.
272
273	The default mode is AutoVerifyPeer, which tells QSslSocket to use
274	VerifyPeer for clients, QueryPeer for servers.
275
276	\sa setPeerVerifyMode()
277	*/
278	QSslSocket::PeerVerifyMode QSslConfiguration::peerVerifyMode() const
279	{
280	return d ->peerVerifyMode;
281	}
282
283	/!*
284	Sets the verify mode to \a mode. This mode decides whether QSslSocket
285	should request a certificate from the peer (i.e., the client requests a
286	certificate from the server, or a server requesting a certificate from the
287	client), and whether it should require that this certificate is valid.
288
289	The default mode is AutoVerifyPeer, which tells QSslSocket to use
290	VerifyPeer for clients, QueryPeer for servers.
291
292	\sa peerVerifyMode()
293	*/
294	void QSslConfiguration::setPeerVerifyMode(QSslSocket::PeerVerifyMode mode)
295	{
296	d ->peerVerifyMode = mode;
297	}
298
299
300	/!*
301	Returns the maximum number of certificates in the peer's certificate chain
302	to be checked during the SSL handshake phase, or 0 (the default) if no
303	maximum depth has been set, indicating that the whole certificate chain
304	should be checked.
305
306	The certificates are checked in issuing order, starting with the peer's
307	own certificate, then its issuer's certificate, and so on.
308
309	\sa setPeerVerifyDepth(), peerVerifyMode()
310	*/
311	int QSslConfiguration::peerVerifyDepth() const
312	{
313	return d ->peerVerifyDepth;
314	}
315
316	/!*
317	Sets the maximum number of certificates in the peer's certificate chain to
318	be checked during the SSL handshake phase, to \a depth. Setting a depth of
319	0 means that no maximum depth is set, indicating that the whole
320	certificate chain should be checked.
321
322	The certificates are checked in issuing order, starting with the peer's
323	own certificate, then its issuer's certificate, and so on.
324
325	\sa peerVerifyDepth(), setPeerVerifyMode()
326	*/
327	void QSslConfiguration::setPeerVerifyDepth(int depth)
328	{
329	if (depth < `0`) {
330	qCWarning(lcSsl,
331	"QSslConfiguration::setPeerVerifyDepth: cannot set negative depth of %d", depth);
332	return;
333	}
334	d ->peerVerifyDepth = depth;
335	}
336
337	/!*
338	Returns the certificate chain to be presented to the peer during
339	the SSL handshake process.
340
341	\sa localCertificate()
342	\since 5.1
343	*/
344	QList<QSslCertificate> QSslConfiguration::localCertificateChain() const
345	{
346	return d ->localCertificateChain;
347	}
348
349	/!*
350	Sets the certificate chain to be presented to the peer during the
351	SSL handshake to be \a localChain.
352
353	Setting the certificate chain once the connection has been
354	established has no effect.
355
356	A certificate is the means of identification used in the SSL
357	process. The local certificate is used by the remote end to verify
358	the local user's identity against its list of Certification
359	Authorities. In most cases, such as in HTTP web browsing, only
360	servers identify to the clients, so the client does not send a
361	certificate.
362
363	Unlike QSslConfiguration::setLocalCertificate() this method allows
364	you to specify any intermediate certificates required in order to
365	validate your certificate. The first item in the list must be the
366	leaf certificate.
367
368	\sa localCertificateChain()
369	\since 5.1
370	*/
371	void QSslConfiguration::setLocalCertificateChain(const QList<QSslCertificate> &localChain)
372	{
373	d ->localCertificateChain = localChain;
374	}
375
376	/!*
377	Returns the certificate to be presented to the peer during the SSL
378	handshake process.
379
380	\sa setLocalCertificate()
381	*/
382	QSslCertificate QSslConfiguration::localCertificate() const
383	{
384	if (d ->localCertificateChain.isEmpty())
385	return QSslCertificate ();
386	return d ->localCertificateChain [`0`];
387	}
388
389	/!*
390	Sets the certificate to be presented to the peer during SSL
391	handshake to be \a certificate.
392
393	Setting the certificate once the connection has been established
394	has no effect.
395
396	A certificate is the means of identification used in the SSL
397	process. The local certificate is used by the remote end to verify
398	the local user's identity against its list of Certification
399	Authorities. In most cases, such as in HTTP web browsing, only
400	servers identify to the clients, so the client does not send a
401	certificate.
402
403	\sa localCertificate()
404	*/
405	void QSslConfiguration::setLocalCertificate(const QSslCertificate &certificate)
406	{
407	d ->localCertificateChain = QList<QSslCertificate>();
408	d ->localCertificateChain += certificate;
409	}
410
411	/!*
412	Returns the peer's digital certificate (i.e., the immediate
413	certificate of the host you are connected to), or a null
414	certificate, if the peer has not assigned a certificate.
415
416	The peer certificate is checked automatically during the
417	handshake phase, so this function is normally used to fetch
418	the certificate for display or for connection diagnostic
419	purposes. It contains information about the peer, including
420	its host name, the certificate issuer, and the peer's public
421	key.
422
423	Because the peer certificate is set during the handshake phase, it
424	is safe to access the peer certificate from a slot connected to
425	the QSslSocket::sslErrors() signal, QNetworkReply::sslErrors()
426	signal, or the QSslSocket::encrypted() signal.
427
428	If a null certificate is returned, it can mean the SSL handshake
429	failed, or it can mean the host you are connected to doesn't have
430	a certificate, or it can mean there is no connection.
431
432	If you want to check the peer's complete chain of certificates,
433	use peerCertificateChain() to get them all at once.
434
435	\sa peerCertificateChain(),
436	QSslSocket::sslErrors(), QSslSocket::ignoreSslErrors(),
437	QNetworkReply::sslErrors(), QNetworkReply::ignoreSslErrors()
438	*/
439	QSslCertificate QSslConfiguration::peerCertificate() const
440	{
441	return d ->peerCertificate;
442	}
443
444	/!*
445	Returns the peer's chain of digital certificates, starting with
446	the peer's immediate certificate and ending with the CA's
447	certificate.
448
449	Peer certificates are checked automatically during the handshake
450	phase. This function is normally used to fetch certificates for
451	display, or for performing connection diagnostics. Certificates
452	contain information about the peer and the certificate issuers,
453	including host name, issuer names, and issuer public keys.
454
455	Because the peer certificate is set during the handshake phase, it
456	is safe to access the peer certificate from a slot connected to
457	the QSslSocket::sslErrors() signal, QNetworkReply::sslErrors()
458	signal, or the QSslSocket::encrypted() signal.
459
460	If an empty list is returned, it can mean the SSL handshake
461	failed, or it can mean the host you are connected to doesn't have
462	a certificate, or it can mean there is no connection.
463
464	If you want to get only the peer's immediate certificate, use
465	peerCertificate().
466
467	\sa peerCertificate(),
468	QSslSocket::sslErrors(), QSslSocket::ignoreSslErrors(),
469	QNetworkReply::sslErrors(), QNetworkReply::ignoreSslErrors()
470	*/
471	QList<QSslCertificate> QSslConfiguration::peerCertificateChain() const
472	{
473	return d ->peerCertificateChain;
474	}
475
476	/!*
477	Returns the socket's cryptographic \l {QSslCipher} {cipher}, or a
478	null cipher if the connection isn't encrypted. The socket's cipher
479	for the session is set during the handshake phase. The cipher is
480	used to encrypt and decrypt data transmitted through the socket.
481
482	The SSL infrastructure also provides functions for setting the
483	ordered list of ciphers from which the handshake phase will
484	eventually select the session cipher. This ordered list must be in
485	place before the handshake phase begins.
486
487	\sa ciphers(), setCiphers(), supportedCiphers()
488	*/
489	QSslCipher QSslConfiguration::sessionCipher() const
490	{
491	return d ->sessionCipher;
492	}
493
494	/!*
495	Returns the socket's SSL/TLS protocol or UnknownProtocol if the
496	connection isn't encrypted. The socket's protocol for the session
497	is set during the handshake phase.
498
499	\sa protocol(), setProtocol()
500	\since 5.4
501	*/
502	QSsl::SslProtocol QSslConfiguration::sessionProtocol() const
503	{
504	return d ->sessionProtocol;
505	}
506
507	/!*
508	Returns the \l {QSslKey} {SSL key} assigned to this connection or
509	a null key if none has been assigned yet.
510
511	\sa setPrivateKey(), localCertificate()
512	*/
513	QSslKey QSslConfiguration::privateKey() const
514	{
515	return d ->privateKey;
516	}
517
518	/!*
519	Sets the connection's private \l {QSslKey} {key} to \a key. The
520	private key and the local \l {QSslCertificate} {certificate} are
521	used by clients and servers that must prove their identity to
522	SSL peers.
523
524	Both the key and the local certificate are required if you are
525	creating an SSL server socket. If you are creating an SSL client
526	socket, the key and local certificate are required if your client
527	must identify itself to an SSL server.
528
529	\sa privateKey(), setLocalCertificate()
530	*/
531	void QSslConfiguration::setPrivateKey(const QSslKey &key)
532	{
533	d ->privateKey = key;
534	}
535
536	/!*
537	Returns this connection's current cryptographic cipher suite. This
538	list is used during the handshake phase for choosing a
539	session cipher. The returned list of ciphers is ordered by
540	descending preference. (i.e., the first cipher in the list is the
541	most preferred cipher). The session cipher will be the first one
542	in the list that is also supported by the peer.
543
544	By default, the handshake phase can choose any of the ciphers
545	supported by this system's SSL libraries, which may vary from
546	system to system. The list of ciphers supported by this system's
547	SSL libraries is returned by supportedCiphers(). You can restrict
548	the list of ciphers used for choosing the session cipher for this
549	socket by calling setCiphers() with a subset of the supported
550	ciphers. You can revert to using the entire set by calling
551	setCiphers() with the list returned by supportedCiphers().
552
553	\note This is not currently supported in the Schannel backend.
554
555	\sa setCiphers(), supportedCiphers()
556	*/
557	QList<QSslCipher> QSslConfiguration::ciphers() const
558	{
559	return d ->ciphers;
560	}
561
562	/!*
563	Sets the cryptographic cipher suite for this socket to \a ciphers,
564	which must contain a subset of the ciphers in the list returned by
565	supportedCiphers().
566
567	Restricting the cipher suite must be done before the handshake
568	phase, where the session cipher is chosen.
569
570	\note This is not currently supported in the Schannel backend.
571
572	\sa ciphers(), supportedCiphers()
573	*/
574	void QSslConfiguration::setCiphers(const QList<QSslCipher> &ciphers)
575	{
576	d ->ciphers = ciphers;
577	}
578
579	/!*
580	\since 6.0
581
582	Sets the cryptographic cipher suite for this configuration to \a ciphers,
583	which is a colon-separated list of cipher suite names. The ciphers are listed
584	in order of preference, starting with the most preferred cipher. For example:
585
586	\snippet code/src_network_ssl_qsslconfiguration.cpp 1
587
588	Each cipher name in \a ciphers must be the name of a cipher in the
589	list returned by supportedCiphers(). Restricting the cipher suite
590	must be done before the handshake phase, where the session cipher
591	is chosen.
592
593	\note This is not currently supported in the Schannel backend.
594
595	\sa ciphers()
596	*/
597	void QSslConfiguration::setCiphers(const QString &ciphers)
598	{
599	auto *p = d.data();
600	p->ciphers.clear();
601	const auto cipherNames = ciphers.split(sep: u`':'`, behavior: Qt::SkipEmptyParts);
602	for (const QString &cipherName : cipherNames) {
603	QSslCipher cipher(cipherName);
604	if (!cipher.isNull())
605	p->ciphers << cipher;
606	}
607	}
608
609	/!*
610	\since 5.5
611
612	Returns the list of cryptographic ciphers supported by this
613	system. This list is set by the system's SSL libraries and may
614	vary from system to system.
615
616	\sa ciphers(), setCiphers()
617	*/
618	QList<QSslCipher> QSslConfiguration::supportedCiphers()
619	{
620	return QSslSocketPrivate::supportedCiphers();
621	}
622
623	/!*
624	Returns this connection's CA certificate database. The CA certificate
625	database is used by the socket during the handshake phase to
626	validate the peer's certificate. It can be modified prior to the
627	handshake with setCaCertificates(), or with addCaCertificate() and
628	addCaCertificates().
629
630	\sa setCaCertificates(), addCaCertificate(), addCaCertificates()
631	*/
632	QList<QSslCertificate> QSslConfiguration::caCertificates() const
633	{
634	return d ->caCertificates;
635	}
636
637	/!*
638	Sets this socket's CA certificate database to be \a certificates.
639	The certificate database must be set prior to the SSL handshake.
640	The CA certificate database is used by the socket during the
641	handshake phase to validate the peer's certificate.
642
643	\note The default configuration uses the system CA certificate database. If
644	that is not available (as is commonly the case on iOS), the default database
645	is empty.
646
647	\sa caCertificates(), addCaCertificates(), addCaCertificate()
648	*/
649	void QSslConfiguration::setCaCertificates(const QList<QSslCertificate> &certificates)
650	{
651	d ->caCertificates = certificates;
652	d ->allowRootCertOnDemandLoading = false;
653	}
654
655	/!*
656	\since 5.15
657
658	Searches all files in the \a path for certificates encoded in the
659	specified \a format and adds them to this socket's CA certificate
660	database. \a path must be a file or a pattern matching one or more
661	files, as specified by \a syntax. Returns \c true if one or more
662	certificates are added to the socket's CA certificate database;
663	otherwise returns \c false.
664
665	The CA certificate database is used by the socket during the
666	handshake phase to validate the peer's certificate.
667
668	For more precise control, use addCaCertificate().
669
670	\sa addCaCertificate(), QSslCertificate::fromPath()
671	*/
672	bool QSslConfiguration::addCaCertificates(const QString &path, QSsl::EncodingFormat format,
673	QSslCertificate::PatternSyntax syntax)
674	{
675	QList<QSslCertificate> certs = QSslCertificate::fromPath(path, format, syntax);
676	if (certs.isEmpty())
677	return false;
678
679	d ->caCertificates += certs;
680	return true;
681	}
682
683	/!*
684	\since 5.15
685
686	Adds \a certificate to this configuration's CA certificate database.
687	The certificate database must be set prior to the SSL handshake.
688	The CA certificate database is used by the socket during the
689	handshake phase to validate the peer's certificate.
690
691	\note The default configuration uses the system CA certificate database. If
692	that is not available (as is commonly the case on iOS), the default database
693	is empty.
694
695	\sa caCertificates(), setCaCertificates(), addCaCertificates()
696	*/
697	void QSslConfiguration::addCaCertificate(const QSslCertificate &certificate)
698	{
699	d ->caCertificates += certificate;
700	d ->allowRootCertOnDemandLoading = false;
701	}
702
703	/!*
704	\since 5.15
705
706	Adds \a certificates to this configuration's CA certificate database.
707	The certificate database must be set prior to the SSL handshake.
708	The CA certificate database is used by the socket during the
709	handshake phase to validate the peer's certificate.
710
711	\note The default configuration uses the system CA certificate database. If
712	that is not available (as is commonly the case on iOS), the default database
713	is empty.
714
715	\sa caCertificates(), setCaCertificates(), addCaCertificate()
716	*/
717	void QSslConfiguration::addCaCertificates(const QList<QSslCertificate> &certificates)
718	{
719	d ->caCertificates += certificates;
720	d ->allowRootCertOnDemandLoading = false;
721	}
722
723	/!*
724	\since 5.5
725
726	This function provides the CA certificate database
727	provided by the operating system. The CA certificate database
728	returned by this function is used to initialize the database
729	returned by caCertificates() on the default QSslConfiguration.
730
731	\sa caCertificates(), setCaCertificates(), defaultConfiguration(),
732	addCaCertificate(), addCaCertificates()
733	*/
734	QList<QSslCertificate> QSslConfiguration::systemCaCertificates()
735	{
736	// we are calling ensureInitialized() in the method below
737	return QSslSocketPrivate::systemCaCertificates();
738	}
739
740	/!*
741	Enables or disables an SSL compatibility \a option. If \a on
742	is true, the \a option is enabled. If \a on is false, the
743	\a option is disabled.
744
745	\sa testSslOption()
746	*/
747	void QSslConfiguration::setSslOption(QSsl::SslOption option, bool on)
748	{
749	d ->sslOptions.setFlag(flag: option, on);
750	}
751
752	/!*
753	\since 4.8
754
755	Returns \c true if the specified SSL compatibility \a option is enabled.
756
757	\sa setSslOption()
758	*/
759	bool QSslConfiguration::testSslOption(QSsl::SslOption option) const
760	{
761	return d ->sslOptions & option;
762	}
763
764	/!*
765	\since 5.2
766
767	If QSsl::SslOptionDisableSessionPersistence was turned off, this
768	function returns the session ticket used in the SSL handshake in ASN.1
769	format, suitable to e.g. be persisted to disk. If no session ticket was
770	used or QSsl::SslOptionDisableSessionPersistence was not turned off,
771	this function returns an empty QByteArray.
772
773	\note When persisting the session ticket to disk or similar, be
774	careful not to expose the session to a potential attacker, as
775	knowledge of the session allows for eavesdropping on data
776	encrypted with the session parameters.
777
778	\sa setSessionTicket(), QSsl::SslOptionDisableSessionPersistence, setSslOption(), QSslSocket::newSessionTicketReceived()
779	*/
780	QByteArray QSslConfiguration::sessionTicket() const
781	{
782	return d ->sslSession;
783	}
784
785	/!*
786	\since 5.2
787
788	Sets the session ticket to be used in an SSL handshake.
789	QSsl::SslOptionDisableSessionPersistence must be turned off
790	for this to work, and \a sessionTicket must be in ASN.1 format
791	as returned by sessionTicket().
792
793	\sa sessionTicket(), QSsl::SslOptionDisableSessionPersistence, setSslOption(), QSslSocket::newSessionTicketReceived()
794	*/
795	void QSslConfiguration::setSessionTicket(const QByteArray &sessionTicket)
796	{
797	d ->sslSession = sessionTicket;
798	}
799
800	/!*
801	\since 5.2
802
803	If QSsl::SslOptionDisableSessionPersistence was turned off, this
804	function returns the session ticket life time hint sent by the
805	server (which might be 0).
806	If the server did not send a session ticket (e.g. when
807	resuming a session or when the server does not support it) or
808	QSsl::SslOptionDisableSessionPersistence was not turned off,
809	this function returns -1.
810
811	\sa sessionTicket(), QSsl::SslOptionDisableSessionPersistence, setSslOption(), QSslSocket::newSessionTicketReceived()
812	*/
813	int QSslConfiguration::sessionTicketLifeTimeHint() const
814	{
815	return d ->sslSessionTicketLifeTimeHint;
816	}
817
818	/!*
819	\since 5.7
820
821	Returns the ephemeral server key used for cipher algorithms
822	with forward secrecy, e.g. DHE-RSA-AES128-SHA.
823
824	The ephemeral key is only available when running in client mode, i.e.
825	QSslSocket::SslClientMode. When running in server mode or using a
826	cipher algorithm without forward secrecy a null key is returned.
827	The ephemeral server key will be set before emitting the encrypted()
828	signal.
829	*/
830	QSslKey QSslConfiguration::ephemeralServerKey() const
831	{
832	return d ->ephemeralServerKey;
833	}
834
835	/!*
836	\since 5.5
837
838	Returns this connection's current list of elliptic curves. This
839	list is used during the handshake phase for choosing an
840	elliptic curve (when using an elliptic curve cipher).
841	The returned list of curves is ordered by descending preference
842	(i.e., the first curve in the list is the most preferred one).
843
844	By default, the handshake phase can choose any of the curves
845	supported by this system's SSL libraries, which may vary from
846	system to system. The list of curves supported by this system's
847	SSL libraries is returned by QSslSocket::supportedEllipticCurves().
848
849	You can restrict the list of curves used for choosing the session cipher
850	for this socket by calling setEllipticCurves() with a subset of the
851	supported ciphers. You can revert to using the entire set by calling
852	setEllipticCurves() with the list returned by
853	QSslSocket::supportedEllipticCurves().
854
855	\sa setEllipticCurves
856	*/
857	QList<QSslEllipticCurve> QSslConfiguration::ellipticCurves() const
858	{
859	return d ->ellipticCurves;
860	}
861
862	/!*
863	\since 5.5
864
865	Sets the list of elliptic curves to be used by this socket to \a curves,
866	which must contain a subset of the curves in the list returned by
867	supportedEllipticCurves().
868
869	Restricting the elliptic curves must be done before the handshake
870	phase, where the session cipher is chosen.
871
872	\sa ellipticCurves
873	*/
874	void QSslConfiguration::setEllipticCurves(const QList<QSslEllipticCurve> &curves)
875	{
876	d ->ellipticCurves = curves;
877	}
878
879	/!*
880	\since 5.5
881
882	Returns the list of elliptic curves supported by this
883	system. This list is set by the system's SSL libraries and may
884	vary from system to system.
885
886	\sa ellipticCurves(), setEllipticCurves()
887	*/
888	QList<QSslEllipticCurve> QSslConfiguration::supportedEllipticCurves()
889	{
890	return QSslSocketPrivate::supportedEllipticCurves();
891	}
892
893	/!*
894	\since 5.8
895
896	Returns the identity hint.
897
898	\sa setPreSharedKeyIdentityHint()
899	*/
900	QByteArray QSslConfiguration::preSharedKeyIdentityHint() const
901	{
902	return d ->preSharedKeyIdentityHint;
903	}
904
905	/!*
906	\since 5.8
907
908	Sets the identity hint for a preshared key authentication to \a hint. This will
909	affect the next initiated handshake; calling this function on an already-encrypted
910	socket will not affect the socket's identity hint.
911
912	The identity hint is used in QSslSocket::SslServerMode only!
913	*/
914	void QSslConfiguration::setPreSharedKeyIdentityHint(const QByteArray &hint)
915	{
916	d ->preSharedKeyIdentityHint = hint;
917	}
918
919	/!*
920	\since 5.8
921
922	Retrieves the current set of Diffie-Hellman parameters.
923
924	If no Diffie-Hellman parameters have been set, the QSslConfiguration object
925	defaults to using the 2048-bit MODP group from RFC 3526.
926
927	\note The default parameters may change in future Qt versions.
928	Please check the documentation of the \e{exact Qt version} that you
929	are using in order to know what defaults that version uses.
930	*/
931	QSslDiffieHellmanParameters QSslConfiguration::diffieHellmanParameters() const
932	{
933	return d ->dhParams;
934	}
935
936	/!*
937	\since 5.8
938
939	Sets a custom set of Diffie-Hellman parameters to be used by this socket when functioning as
940	a server to \a dhparams.
941
942	If no Diffie-Hellman parameters have been set, the QSslConfiguration object
943	defaults to using the 2048-bit MODP group from RFC 3526.
944
945	\note The default parameters may change in future Qt versions.
946	Please check the documentation of the \e{exact Qt version} that you
947	are using in order to know what defaults that version uses.
948	*/
949	void QSslConfiguration::setDiffieHellmanParameters(const QSslDiffieHellmanParameters &dhparams)
950	{
951	d ->dhParams = dhparams;
952	}
953
954	/!*
955	\since 5.11
956
957	Returns the backend-specific configuration.
958
959	Only options set by setBackendConfigurationOption() or setBackendConfiguration() will be
960	returned. The internal standard configuration of the backend is not reported.
961
962	\sa setBackendConfigurationOption(), setBackendConfiguration()
963	*/
964	QMap<QByteArray, QVariant> QSslConfiguration::backendConfiguration() const
965	{
966	return d ->backendConfig;
967	}
968
969	/!*
970	\since 5.11
971
972	Sets the option \a name in the backend-specific configuration to \a value.
973
974	Options supported by the OpenSSL (>= 1.0.2) backend are available in the \l
975	{https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS}
976	{supported configuration file commands} documentation. The expected type for
977	the \a value parameter is a QByteArray for all options. The \l
978	{https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#EXAMPLES}{examples}
979	show how to use some of the options.
980
981	\note The backend-specific configuration will be applied after the general
982	configuration. Using the backend-specific configuration to set a general
983	configuration option again will overwrite the general configuration option.
984
985	\sa backendConfiguration(), setBackendConfiguration()
986	*/
987	void QSslConfiguration::setBackendConfigurationOption(const QByteArray &name, const QVariant &value)
988	{
989	d ->backendConfig [name] = value;
990	}
991
992	/!*
993	\since 5.11
994
995	Sets or clears the backend-specific configuration.
996
997	Without a \a backendConfiguration parameter this function will clear the
998	backend-specific configuration. More information about the supported
999	options is available in the documentation of setBackendConfigurationOption().
1000
1001	\sa backendConfiguration(), setBackendConfigurationOption()
1002	*/
1003	void QSslConfiguration::setBackendConfiguration(const QMap<QByteArray, QVariant> &backendConfiguration)
1004	{
1005	d ->backendConfig = backendConfiguration;
1006	}
1007
1008	/!*
1009	\since 5.3
1010
1011	This function returns the protocol negotiated with the server
1012	if the Next Protocol Negotiation (NPN) or Application-Layer Protocol
1013	Negotiation (ALPN) TLS extension was enabled.
1014	In order for the NPN/ALPN extension to be enabled, setAllowedNextProtocols()
1015	needs to be called explicitly before connecting to the server.
1016
1017	If no protocol could be negotiated or the extension was not enabled,
1018	this function returns a QByteArray which is null.
1019
1020	\sa setAllowedNextProtocols(), nextProtocolNegotiationStatus()
1021	*/
1022	QByteArray QSslConfiguration::nextNegotiatedProtocol() const
1023	{
1024	return d ->nextNegotiatedProtocol;
1025	}
1026
1027	/!*
1028	\since 5.3
1029
1030	This function sets the allowed \a protocols to be negotiated with the
1031	server through the Next Protocol Negotiation (NPN) or Application-Layer
1032	Protocol Negotiation (ALPN) TLS extension; each
1033	element in \a protocols must define one allowed protocol.
1034	The function must be called explicitly before connecting to send the NPN/ALPN
1035	extension in the SSL handshake.
1036	Whether or not the negotiation succeeded can be queried through
1037	nextProtocolNegotiationStatus().
1038
1039	\sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), allowedNextProtocols(), QSslConfiguration::NextProtocolHttp1_1
1040	*/
1041	void QSslConfiguration::setAllowedNextProtocols(const QList<QByteArray> &protocols)
1042	{
1043	d ->nextAllowedProtocols = protocols;
1044	}
1045
1046	/!*
1047	\since 5.3
1048
1049	This function returns the allowed protocols to be negotiated with the
1050	server through the Next Protocol Negotiation (NPN) or Application-Layer
1051	Protocol Negotiation (ALPN) TLS extension, as set by setAllowedNextProtocols().
1052
1053	\sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), setAllowedNextProtocols(), QSslConfiguration::NextProtocolHttp1_1
1054	*/
1055	QList<QByteArray> QSslConfiguration::allowedNextProtocols() const
1056	{
1057	return d ->nextAllowedProtocols;
1058	}
1059
1060	/!*
1061	\since 5.3
1062
1063	This function returns the status of the Next Protocol Negotiation (NPN)
1064	or Application-Layer Protocol Negotiation (ALPN).
1065	If the feature has not been enabled through setAllowedNextProtocols(),
1066	this function returns NextProtocolNegotiationNone.
1067	The status will be set before emitting the encrypted() signal.
1068
1069	\sa setAllowedNextProtocols(), allowedNextProtocols(), nextNegotiatedProtocol(), QSslConfiguration::NextProtocolNegotiationStatus
1070	*/
1071	QSslConfiguration::NextProtocolNegotiationStatus QSslConfiguration::nextProtocolNegotiationStatus() const
1072	{
1073	return d ->nextProtocolNegotiationStatus;
1074	}
1075
1076	/!*
1077	Returns the default SSL configuration to be used in new SSL
1078	connections.
1079
1080	The default SSL configuration consists of:
1081
1082	\list
1083	\li no local certificate and no private key
1084	\li protocol \l{QSsl::SecureProtocols}{SecureProtocols}
1085	\li the system's default CA certificate list
1086	\li the cipher list equal to the list of the SSL libraries'
1087	supported SSL ciphers that are 128 bits or more
1088	\endlist
1089
1090	\sa supportedCiphers(), setDefaultConfiguration()
1091	*/
1092	QSslConfiguration QSslConfiguration::defaultConfiguration()
1093	{
1094	return QSslConfigurationPrivate::defaultConfiguration();
1095	}
1096
1097	/!*
1098	Sets the default SSL configuration to be used in new SSL
1099	connections to be \a configuration. Existing connections are not
1100	affected by this call.
1101
1102	\sa supportedCiphers(), defaultConfiguration()
1103	*/
1104	void QSslConfiguration::setDefaultConfiguration(const QSslConfiguration &configuration)
1105	{
1106	QSslConfigurationPrivate::setDefaultConfiguration(configuration);
1107	}
1108
1109	#if QT_CONFIG(dtls) \|\| defined(Q_QDOC)
1110
1111	/!*
1112	This function returns true if DTLS cookie verification was enabled on a
1113	server-side socket.
1114
1115	\sa setDtlsCookieVerificationEnabled()
1116	*/
1117	bool QSslConfiguration::dtlsCookieVerificationEnabled() const
1118	{
1119	return d ->dtlsCookieEnabled;
1120	}
1121
1122	/!*
1123	This function enables DTLS cookie verification when \a enable is true.
1124
1125	\sa dtlsCookieVerificationEnabled()
1126	*/
1127	void QSslConfiguration::setDtlsCookieVerificationEnabled(bool enable)
1128	{
1129	d ->dtlsCookieEnabled = enable;
1130	}
1131
1132	/!*
1133	Returns the default DTLS configuration to be used in new DTLS
1134	connections.
1135
1136	The default DTLS configuration consists of:
1137
1138	\list
1139	\li no local certificate and no private key
1140	\li protocol DtlsV1_2OrLater
1141	\li the system's default CA certificate list
1142	\li the cipher list equal to the list of the SSL libraries'
1143	supported TLS 1.2 ciphers that use 128 or more secret bits
1144	for the cipher.
1145	\endlist
1146
1147	\sa setDefaultDtlsConfiguration()
1148	*/
1149	QSslConfiguration QSslConfiguration::defaultDtlsConfiguration()
1150	{
1151	return QSslConfigurationPrivate::defaultDtlsConfiguration();
1152	}
1153
1154	/!*
1155	Sets the default DTLS configuration to be used in new DTLS
1156	connections to be \a configuration. Existing connections are not
1157	affected by this call.
1158
1159	\sa defaultDtlsConfiguration()
1160	*/
1161	void QSslConfiguration::setDefaultDtlsConfiguration(const QSslConfiguration &configuration)
1162	{
1163	QSslConfigurationPrivate::setDefaultDtlsConfiguration(configuration);
1164	}
1165
1166	#endif // dtls
1167
1168	/!*
1169	\since 5.13
1170	If \a enabled is true, client QSslSocket will send a certificate status request
1171	to its peer when initiating a handshake. During the handshake QSslSocket will
1172	verify the server's response. This value must be set before the handshake
1173	starts.
1174
1175	\sa ocspStaplingEnabled()
1176	*/
1177	void QSslConfiguration::setOcspStaplingEnabled(bool enabled)
1178	{
1179	#if QT_CONFIG(ocsp)
1180	d ->ocspStaplingEnabled = enabled;
1181	#else
1182	if (enabled)
1183	qCWarning(lcSsl, "Enabling OCSP-stapling requires the feature 'ocsp'");
1184	#endif // ocsp
1185	}
1186
1187	/!*
1188	\since 5.13
1189	Returns true if OCSP stapling was enabled by setOCSPStaplingEnabled(),
1190	otherwise false (which is the default value).
1191
1192	\sa setOcspStaplingEnabled()
1193	*/
1194	bool QSslConfiguration::ocspStaplingEnabled() const
1195	{
1196	return d ->ocspStaplingEnabled;
1197	}
1198
1199	/!*
1200	\since 6.0
1201
1202	Returns true if a verification callback will emit QSslSocket::handshakeInterruptedOnError()
1203	early, before concluding the handshake.
1204
1205	\note This function always returns false for all backends but OpenSSL.
1206
1207	\sa setHandshakeMustInterruptOnError(), QSslSocket::handshakeInterruptedOnError(), QSslSocket::continueInterruptedHandshake()
1208	*/
1209	bool QSslConfiguration::handshakeMustInterruptOnError() const
1210	{
1211	return d ->reportFromCallback;
1212	}
1213
1214	/!*
1215	\since 6.0
1216
1217	If \a interrupt is true and the underlying backend supports this option,
1218	errors found during certificate verification are reported immediately
1219	by emitting QSslSocket::handshakeInterruptedOnError(). This allows
1220	to stop the unfinished handshake and send a proper alert message to
1221	a peer. No special action is required from the application in this case.
1222	QSslSocket will close the connection after sending the alert message.
1223	If the application after inspecting the error wants to continue the
1224	handshake, it must call QSslSocket::continueInterruptedHandshake()
1225	from its slot function. The signal-slot connection must be direct.
1226
1227	\note When interrupting handshake is enabled, errors that would otherwise
1228	be reported by QSslSocket::peerVerifyError() are instead only reported by
1229	QSslSocket::handshakeInterruptedOnError().
1230	\note Even if the handshake was continued, these errors will be
1231	reported when emitting QSslSocket::sslErrors() signal (and thus must
1232	be ignored in the corresponding function slot).
1233
1234	\sa handshakeMustInterruptOnError(), QSslSocket::handshakeInterruptedOnError(), QSslSocket::continueInterruptedHandshake()
1235	*/
1236	void QSslConfiguration::setHandshakeMustInterruptOnError(bool interrupt)
1237	{
1238	#if QT_CONFIG(openssl)
1239	d ->reportFromCallback = interrupt;
1240	#else
1241	Q_UNUSED(interrupt);
1242	qCWarning(lcSsl, "This operation requires OpenSSL as TLS backend");
1243	#endif
1244	}
1245
1246	/!*
1247	\since 6.0
1248
1249	Returns true if errors with code QSslError::NoPeerCertificate
1250	cannot be ignored.
1251
1252	\note Always returns false for all TLS backends but OpenSSL.
1253
1254	\sa QSslSocket::ignoreSslErrors(), setMissingCertificateIsFatal()
1255	*/
1256	bool QSslConfiguration::missingCertificateIsFatal() const
1257	{
1258	return d ->missingCertIsFatal;
1259	}
1260
1261	/!*
1262	\since 6.0
1263
1264	If \a cannotRecover is true, and verification mode in use is
1265	QSslSocket::VerifyPeer or QSslSocket::AutoVerifyPeer (for a
1266	client-side socket), the missing peer's certificate would be
1267	treated as an unrecoverable error that cannot be ignored. A proper
1268	alert message will be sent to the peer before closing the connection.
1269
1270	\note Only available if Qt was configured and built with OpenSSL backend.
1271
1272	\sa QSslSocket::ignoreSslErrors(), QSslSocket::PeerVerifyMode, missingCertificateIsFatal()
1273	*/
1274	void QSslConfiguration::setMissingCertificateIsFatal(bool cannotRecover)
1275	{
1276	#if QT_CONFIG(openssl)
1277	d ->missingCertIsFatal = cannotRecover;
1278	#else
1279	Q_UNUSED(cannotRecover);
1280	qCWarning(lcSsl, "Handling a missing certificate as a fatal error requires an OpenSSL backend");
1281	#endif // openssl
1282	}
1283
1284	/! \internal*
1285	*/
1286	bool QSslConfigurationPrivate::peerSessionWasShared(const QSslConfiguration &configuration) {
1287	return configuration.d ->peerSessionShared;
1288	}
1289
1290	QT_END_NAMESPACE
1291

source code of qtbase/src/network/ssl/qsslconfiguration.cpp