1// Copyright (C) 2016 The Qt Company Ltd.
2// Copyright (C) 2014 BlackBerry Limited. All rights reserved.
3// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
4
5#include "qssl_p.h"
6#include "qsslconfiguration.h"
7#include "qsslconfiguration_p.h"
8#include "qsslsocket.h"
9#include "qsslsocket_p.h"
10#include "qmutex.h"
11#include "qdebug.h"
12
13QT_BEGIN_NAMESPACE
14
15QT_IMPL_METATYPE_EXTERN(QSslConfiguration)
16
17const QSsl::SslOptions QSslConfigurationPrivate::defaultSslOptions = QSsl::SslOptionDisableEmptyFragments
18 |QSsl::SslOptionDisableLegacyRenegotiation
19 |QSsl::SslOptionDisableCompression
20 |QSsl::SslOptionDisableSessionPersistence;
21
22const char QSslConfiguration::ALPNProtocolHTTP2[] = "h2";
23const char QSslConfiguration::NextProtocolHttp1_1[] = "http/1.1";
24
25/*!
26 \class QSslConfiguration
27 \brief The QSslConfiguration class holds the configuration and state of an SSL connection.
28 \since 4.4
29
30 \reentrant
31 \inmodule QtNetwork
32 \ingroup network
33 \ingroup ssl
34 \ingroup shared
35
36 QSslConfiguration is used by Qt networking classes to relay
37 information about an open SSL connection and to allow the
38 application to control certain features of that connection.
39
40 The settings that QSslConfiguration currently supports are:
41
42 \list
43 \li The SSL/TLS protocol to be used
44 \li The certificate to be presented to the peer during connection
45 and its associated private key
46 \li The ciphers allowed to be used for encrypting the connection
47 \li The list of Certificate Authorities certificates that are
48 used to validate the peer's certificate
49 \endlist
50
51 These settings are applied only during the connection
52 handshake. Setting them after the connection has been established
53 has no effect.
54
55 The state that QSslConfiguration supports are:
56 \list
57 \li The certificate the peer presented during handshake, along
58 with the chain leading to a CA certificate
59 \li The cipher used to encrypt this session
60 \endlist
61
62 The state can only be obtained once the SSL connection starts, but
63 not necessarily before it's done. Some settings may change during
64 the course of the SSL connection without need to restart it (for
65 instance, the cipher can be changed over time).
66
67 State in QSslConfiguration objects cannot be changed.
68
69 QSslConfiguration can be used with QSslSocket and the Network
70 Access API.
71
72 Note that changing settings in QSslConfiguration is not enough to
73 change the settings in the related SSL connection. You must call
74 setSslConfiguration on a modified QSslConfiguration object to
75 achieve that. The following example illustrates how to change the
76 protocol to TLSv1_2 in a QSslSocket object:
77
78 \snippet code/src_network_ssl_qsslconfiguration.cpp 0
79
80 \sa QSsl::SslProtocol, QSslCertificate, QSslCipher, QSslKey,
81 QSslSocket, QNetworkAccessManager,
82 QSslSocket::sslConfiguration(), QSslSocket::setSslConfiguration()
83*/
84
85/*!
86 \enum QSslConfiguration::NextProtocolNegotiationStatus
87
88 Describes the status of the Next Protocol Negotiation (NPN) or
89 Application-Layer Protocol Negotiation (ALPN).
90
91 \value NextProtocolNegotiationNone No application protocol
92 has been negotiated (yet).
93
94 \value NextProtocolNegotiationNegotiated A next protocol
95 has been negotiated (see nextNegotiatedProtocol()).
96
97 \value NextProtocolNegotiationUnsupported The client and
98 server could not agree on a common next application protocol.
99*/
100
101/*!
102 \variable QSslConfiguration::NextProtocolHttp1_1
103 \brief The value used for negotiating HTTP 1.1 during the Next
104 Protocol Negotiation.
105*/
106
107/*!
108 \variable QSslConfiguration::ALPNProtocolHTTP2
109 \brief The value used for negotiating HTTP 2 during the Application-Layer
110 Protocol Negotiation.
111*/
112
113/*!
114 Constructs an empty SSL configuration. This configuration contains
115 no valid settings and the state will be empty. isNull() will
116 return true after this constructor is called.
117
118 Once any setter methods are called, isNull() will return false.
119*/
120QSslConfiguration::QSslConfiguration()
121 : d(new QSslConfigurationPrivate)
122{
123}
124
125/*!
126 Copies the configuration and state of \a other. If \a other is
127 null, this object will be null too.
128*/
129QSslConfiguration::QSslConfiguration(const QSslConfiguration &other)
130 : d(other.d)
131{
132}
133
134/*!
135 Releases any resources held by QSslConfiguration.
136*/
137QSslConfiguration::~QSslConfiguration()
138{
139 // QSharedDataPointer deletes d for us if necessary
140}
141
142/*!
143 Copies the configuration and state of \a other. If \a other is
144 null, this object will be null too.
145*/
146QSslConfiguration &QSslConfiguration::operator=(const QSslConfiguration &other)
147{
148 d = other.d;
149 return *this;
150}
151
152/*!
153 \fn void QSslConfiguration::swap(QSslConfiguration &other)
154 \since 5.0
155 \memberswap{SSL configuration instance}
156*/
157
158/*!
159 Returns \c true if this QSslConfiguration object is equal to \a
160 other.
161
162 Two QSslConfiguration objects are considered equal if they have
163 the exact same settings and state.
164
165 \sa operator!=()
166*/
167bool QSslConfiguration::operator==(const QSslConfiguration &other) const
168{
169 if (d == other.d)
170 return true;
171 return d->peerCertificate == other.d->peerCertificate &&
172 d->peerCertificateChain == other.d->peerCertificateChain &&
173 d->localCertificateChain == other.d->localCertificateChain &&
174 d->privateKey == other.d->privateKey &&
175 d->sessionCipher == other.d->sessionCipher &&
176 d->sessionProtocol == other.d->sessionProtocol &&
177 d->preSharedKeyIdentityHint == other.d->preSharedKeyIdentityHint &&
178 d->ciphers == other.d->ciphers &&
179 d->ellipticCurves == other.d->ellipticCurves &&
180 d->ephemeralServerKey == other.d->ephemeralServerKey &&
181 d->dhParams == other.d->dhParams &&
182 d->caCertificates == other.d->caCertificates &&
183 d->protocol == other.d->protocol &&
184 d->peerVerifyMode == other.d->peerVerifyMode &&
185 d->peerVerifyDepth == other.d->peerVerifyDepth &&
186 d->allowRootCertOnDemandLoading == other.d->allowRootCertOnDemandLoading &&
187 d->backendConfig == other.d->backendConfig &&
188 d->sslOptions == other.d->sslOptions &&
189 d->sslSession == other.d->sslSession &&
190 d->sslSessionTicketLifeTimeHint == other.d->sslSessionTicketLifeTimeHint &&
191 d->nextAllowedProtocols == other.d->nextAllowedProtocols &&
192 d->nextNegotiatedProtocol == other.d->nextNegotiatedProtocol &&
193 d->nextProtocolNegotiationStatus == other.d->nextProtocolNegotiationStatus &&
194 d->dtlsCookieEnabled == other.d->dtlsCookieEnabled &&
195 d->ocspStaplingEnabled == other.d->ocspStaplingEnabled &&
196 d->reportFromCallback == other.d->reportFromCallback &&
197 d->missingCertIsFatal == other.d->missingCertIsFatal;
198}
199
200/*!
201 \fn QSslConfiguration::operator!=(const QSslConfiguration &other) const
202
203 Returns \c true if this QSslConfiguration differs from \a other. Two
204 QSslConfiguration objects are considered different if any state or
205 setting is different.
206
207 \sa operator==()
208*/
209
210/*!
211 Returns \c true if this is a null QSslConfiguration object.
212
213 A QSslConfiguration object is null if it has been
214 default-constructed and no setter methods have been called.
215
216 \sa setProtocol(), setLocalCertificate(), setPrivateKey(),
217 setCiphers(), setCaCertificates()
218*/
219bool QSslConfiguration::isNull() const
220{
221 return (d->protocol == QSsl::SecureProtocols &&
222 d->peerVerifyMode == QSslSocket::AutoVerifyPeer &&
223 d->peerVerifyDepth == 0 &&
224 d->allowRootCertOnDemandLoading == true &&
225 d->caCertificates.size() == 0 &&
226 d->ciphers.size() == 0 &&
227 d->ellipticCurves.isEmpty() &&
228 d->ephemeralServerKey.isNull() &&
229 d->dhParams == QSslDiffieHellmanParameters::defaultParameters() &&
230 d->localCertificateChain.isEmpty() &&
231 d->privateKey.isNull() &&
232 d->peerCertificate.isNull() &&
233 d->peerCertificateChain.size() == 0 &&
234 d->backendConfig.isEmpty() &&
235 d->sslOptions == QSslConfigurationPrivate::defaultSslOptions &&
236 d->sslSession.isNull() &&
237 d->sslSessionTicketLifeTimeHint == -1 &&
238 d->preSharedKeyIdentityHint.isNull() &&
239 d->nextAllowedProtocols.isEmpty() &&
240 d->nextNegotiatedProtocol.isNull() &&
241 d->nextProtocolNegotiationStatus == QSslConfiguration::NextProtocolNegotiationNone &&
242 d->ocspStaplingEnabled == false &&
243 d->reportFromCallback == false &&
244 d->missingCertIsFatal == false);
245}
246
247/*!
248 Returns the protocol setting for this SSL configuration.
249
250 \sa setProtocol()
251*/
252QSsl::SslProtocol QSslConfiguration::protocol() const
253{
254 return d->protocol;
255}
256
257/*!
258 Sets the protocol setting for this configuration to be \a
259 protocol.
260
261 Setting the protocol once the connection has already been
262 established has no effect.
263
264 \sa protocol()
265*/
266void QSslConfiguration::setProtocol(QSsl::SslProtocol protocol)
267{
268 d->protocol = protocol;
269}
270
271/*!
272 Returns the verify mode. This mode decides whether QSslSocket should
273 request a certificate from the peer (i.e., the client requests a
274 certificate from the server, or a server requesting a certificate from the
275 client), and whether it should require that this certificate is valid.
276
277 The default mode is AutoVerifyPeer, which tells QSslSocket to use
278 VerifyPeer for clients, QueryPeer for servers.
279
280 \sa setPeerVerifyMode()
281*/
282QSslSocket::PeerVerifyMode QSslConfiguration::peerVerifyMode() const
283{
284 return d->peerVerifyMode;
285}
286
287/*!
288 Sets the verify mode to \a mode. This mode decides whether QSslSocket
289 should request a certificate from the peer (i.e., the client requests a
290 certificate from the server, or a server requesting a certificate from the
291 client), and whether it should require that this certificate is valid.
292
293 The default mode is AutoVerifyPeer, which tells QSslSocket to use
294 VerifyPeer for clients, QueryPeer for servers.
295
296 \sa peerVerifyMode()
297*/
298void QSslConfiguration::setPeerVerifyMode(QSslSocket::PeerVerifyMode mode)
299{
300 d->peerVerifyMode = mode;
301}
302
303
304/*!
305 Returns the maximum number of certificates in the peer's certificate chain
306 to be checked during the SSL handshake phase, or 0 (the default) if no
307 maximum depth has been set, indicating that the whole certificate chain
308 should be checked.
309
310 The certificates are checked in issuing order, starting with the peer's
311 own certificate, then its issuer's certificate, and so on.
312
313 \sa setPeerVerifyDepth(), peerVerifyMode()
314*/
315int QSslConfiguration::peerVerifyDepth() const
316{
317 return d->peerVerifyDepth;
318}
319
320/*!
321 Sets the maximum number of certificates in the peer's certificate chain to
322 be checked during the SSL handshake phase, to \a depth. Setting a depth of
323 0 means that no maximum depth is set, indicating that the whole
324 certificate chain should be checked.
325
326 The certificates are checked in issuing order, starting with the peer's
327 own certificate, then its issuer's certificate, and so on.
328
329 \sa peerVerifyDepth(), setPeerVerifyMode()
330*/
331void QSslConfiguration::setPeerVerifyDepth(int depth)
332{
333 if (depth < 0) {
334 qCWarning(lcSsl,
335 "QSslConfiguration::setPeerVerifyDepth: cannot set negative depth of %d", depth);
336 return;
337 }
338 d->peerVerifyDepth = depth;
339}
340
341/*!
342 Returns the certificate chain to be presented to the peer during
343 the SSL handshake process.
344
345 \sa localCertificate()
346 \since 5.1
347*/
348QList<QSslCertificate> QSslConfiguration::localCertificateChain() const
349{
350 return d->localCertificateChain;
351}
352
353/*!
354 Sets the certificate chain to be presented to the peer during the
355 SSL handshake to be \a localChain.
356
357 Setting the certificate chain once the connection has been
358 established has no effect.
359
360 A certificate is the means of identification used in the SSL
361 process. The local certificate is used by the remote end to verify
362 the local user's identity against its list of Certification
363 Authorities. In most cases, such as in HTTP web browsing, only
364 servers identify to the clients, so the client does not send a
365 certificate.
366
367 Unlike QSslConfiguration::setLocalCertificate() this method allows
368 you to specify any intermediate certificates required in order to
369 validate your certificate. The first item in the list must be the
370 leaf certificate.
371
372 \sa localCertificateChain()
373 \since 5.1
374 */
375void QSslConfiguration::setLocalCertificateChain(const QList<QSslCertificate> &localChain)
376{
377 d->localCertificateChain = localChain;
378}
379
380/*!
381 Returns the certificate to be presented to the peer during the SSL
382 handshake process.
383
384 \sa setLocalCertificate()
385*/
386QSslCertificate QSslConfiguration::localCertificate() const
387{
388 if (d->localCertificateChain.isEmpty())
389 return QSslCertificate();
390 return d->localCertificateChain[0];
391}
392
393/*!
394 Sets the certificate to be presented to the peer during SSL
395 handshake to be \a certificate.
396
397 Setting the certificate once the connection has been established
398 has no effect.
399
400 A certificate is the means of identification used in the SSL
401 process. The local certificate is used by the remote end to verify
402 the local user's identity against its list of Certification
403 Authorities. In most cases, such as in HTTP web browsing, only
404 servers identify to the clients, so the client does not send a
405 certificate.
406
407 \sa localCertificate()
408*/
409void QSslConfiguration::setLocalCertificate(const QSslCertificate &certificate)
410{
411 d->localCertificateChain = QList<QSslCertificate>();
412 d->localCertificateChain += certificate;
413}
414
415/*!
416 Returns the peer's digital certificate (i.e., the immediate
417 certificate of the host you are connected to), or a null
418 certificate, if the peer has not assigned a certificate.
419
420 The peer certificate is checked automatically during the
421 handshake phase, so this function is normally used to fetch
422 the certificate for display or for connection diagnostic
423 purposes. It contains information about the peer, including
424 its host name, the certificate issuer, and the peer's public
425 key.
426
427 Because the peer certificate is set during the handshake phase, it
428 is safe to access the peer certificate from a slot connected to
429 the QSslSocket::sslErrors() signal, QNetworkReply::sslErrors()
430 signal, or the QSslSocket::encrypted() signal.
431
432 If a null certificate is returned, it can mean the SSL handshake
433 failed, or it can mean the host you are connected to doesn't have
434 a certificate, or it can mean there is no connection.
435
436 If you want to check the peer's complete chain of certificates,
437 use peerCertificateChain() to get them all at once.
438
439 \sa peerCertificateChain(),
440 QSslSocket::sslErrors(), QSslSocket::ignoreSslErrors(),
441 QNetworkReply::sslErrors(), QNetworkReply::ignoreSslErrors()
442*/
443QSslCertificate QSslConfiguration::peerCertificate() const
444{
445 return d->peerCertificate;
446}
447
448/*!
449 Returns the peer's chain of digital certificates, starting with
450 the peer's immediate certificate and ending with the CA's
451 certificate.
452
453 Peer certificates are checked automatically during the handshake
454 phase. This function is normally used to fetch certificates for
455 display, or for performing connection diagnostics. Certificates
456 contain information about the peer and the certificate issuers,
457 including host name, issuer names, and issuer public keys.
458
459 Because the peer certificate is set during the handshake phase, it
460 is safe to access the peer certificate from a slot connected to
461 the QSslSocket::sslErrors() signal, QNetworkReply::sslErrors()
462 signal, or the QSslSocket::encrypted() signal.
463
464 If an empty list is returned, it can mean the SSL handshake
465 failed, or it can mean the host you are connected to doesn't have
466 a certificate, or it can mean there is no connection.
467
468 If you want to get only the peer's immediate certificate, use
469 peerCertificate().
470
471 \sa peerCertificate(),
472 QSslSocket::sslErrors(), QSslSocket::ignoreSslErrors(),
473 QNetworkReply::sslErrors(), QNetworkReply::ignoreSslErrors()
474*/
475QList<QSslCertificate> QSslConfiguration::peerCertificateChain() const
476{
477 return d->peerCertificateChain;
478}
479
480/*!
481 Returns the socket's cryptographic \l {QSslCipher} {cipher}, or a
482 null cipher if the connection isn't encrypted. The socket's cipher
483 for the session is set during the handshake phase. The cipher is
484 used to encrypt and decrypt data transmitted through the socket.
485
486 The SSL infrastructure also provides functions for setting the
487 ordered list of ciphers from which the handshake phase will
488 eventually select the session cipher. This ordered list must be in
489 place before the handshake phase begins.
490
491 \sa ciphers(), setCiphers(), supportedCiphers()
492*/
493QSslCipher QSslConfiguration::sessionCipher() const
494{
495 return d->sessionCipher;
496}
497
498/*!
499 Returns the socket's SSL/TLS protocol or UnknownProtocol if the
500 connection isn't encrypted. The socket's protocol for the session
501 is set during the handshake phase.
502
503 \sa protocol(), setProtocol()
504 \since 5.4
505*/
506QSsl::SslProtocol QSslConfiguration::sessionProtocol() const
507{
508 return d->sessionProtocol;
509}
510
511/*!
512 Returns the \l {QSslKey} {SSL key} assigned to this connection or
513 a null key if none has been assigned yet.
514
515 \sa setPrivateKey(), localCertificate()
516*/
517QSslKey QSslConfiguration::privateKey() const
518{
519 return d->privateKey;
520}
521
522/*!
523 Sets the connection's private \l {QSslKey} {key} to \a key. The
524 private key and the local \l {QSslCertificate} {certificate} are
525 used by clients and servers that must prove their identity to
526 SSL peers.
527
528 Both the key and the local certificate are required if you are
529 creating an SSL server socket. If you are creating an SSL client
530 socket, the key and local certificate are required if your client
531 must identify itself to an SSL server.
532
533 \sa privateKey(), setLocalCertificate()
534*/
535void QSslConfiguration::setPrivateKey(const QSslKey &key)
536{
537 d->privateKey = key;
538}
539
540/*!
541 Returns this connection's current cryptographic cipher suite. This
542 list is used during the handshake phase for choosing a
543 session cipher. The returned list of ciphers is ordered by
544 descending preference. (i.e., the first cipher in the list is the
545 most preferred cipher). The session cipher will be the first one
546 in the list that is also supported by the peer.
547
548 By default, the handshake phase can choose any of the ciphers
549 supported by this system's SSL libraries, which may vary from
550 system to system. The list of ciphers supported by this system's
551 SSL libraries is returned by supportedCiphers(). You can restrict
552 the list of ciphers used for choosing the session cipher for this
553 socket by calling setCiphers() with a subset of the supported
554 ciphers. You can revert to using the entire set by calling
555 setCiphers() with the list returned by supportedCiphers().
556
557 \sa setCiphers(), supportedCiphers()
558*/
559QList<QSslCipher> QSslConfiguration::ciphers() const
560{
561 return d->ciphers;
562}
563
564/*!
565 Sets the cryptographic cipher suite for this socket to \a ciphers,
566 which must contain a subset of the ciphers in the list returned by
567 supportedCiphers().
568
569 Restricting the cipher suite must be done before the handshake
570 phase, where the session cipher is chosen.
571
572 \sa ciphers(), supportedCiphers()
573*/
574void QSslConfiguration::setCiphers(const QList<QSslCipher> &ciphers)
575{
576 d->ciphers = ciphers;
577}
578
579/*!
580 \since 6.0
581
582 Sets the cryptographic cipher suite for this configuration to \a ciphers,
583 which is a colon-separated list of cipher suite names. The ciphers are listed
584 in order of preference, starting with the most preferred cipher.
585 Each cipher name in \a ciphers must be the name of a cipher in the
586 list returned by supportedCiphers(). Restricting the cipher suite
587 must be done before the handshake phase, where the session cipher
588 is chosen.
589
590 \note With the Schannel backend the order of the ciphers is ignored and Schannel
591 picks the most secure one during the handshake.
592
593 \sa ciphers()
594*/
595void QSslConfiguration::setCiphers(const QString &ciphers)
596{
597 auto *p = d.data();
598 p->ciphers.clear();
599 const auto cipherNames = ciphers.split(sep: u':', behavior: Qt::SkipEmptyParts);
600 for (const QString &cipherName : cipherNames) {
601 QSslCipher cipher(cipherName);
602 if (!cipher.isNull())
603 p->ciphers << cipher;
604 }
605}
606
607/*!
608 \since 5.5
609
610 Returns the list of cryptographic ciphers supported by this
611 system. This list is set by the system's SSL libraries and may
612 vary from system to system.
613
614 \sa ciphers(), setCiphers()
615*/
616QList<QSslCipher> QSslConfiguration::supportedCiphers()
617{
618 return QSslSocketPrivate::supportedCiphers();
619}
620
621/*!
622 Returns this connection's CA certificate database. The CA certificate
623 database is used by the socket during the handshake phase to
624 validate the peer's certificate. It can be modified prior to the
625 handshake with setCaCertificates(), or with addCaCertificate() and
626 addCaCertificates().
627
628 \sa setCaCertificates(), addCaCertificate(), addCaCertificates()
629*/
630QList<QSslCertificate> QSslConfiguration::caCertificates() const
631{
632 return d->caCertificates;
633}
634
635/*!
636 Sets this socket's CA certificate database to be \a certificates.
637 The certificate database must be set prior to the SSL handshake.
638 The CA certificate database is used by the socket during the
639 handshake phase to validate the peer's certificate.
640
641 \note The default configuration uses the system CA certificate database. If
642 that is not available (as is commonly the case on iOS), the default database
643 is empty.
644
645 \sa caCertificates(), addCaCertificates(), addCaCertificate()
646*/
647void QSslConfiguration::setCaCertificates(const QList<QSslCertificate> &certificates)
648{
649 d->caCertificates = certificates;
650 d->allowRootCertOnDemandLoading = false;
651}
652
653/*!
654 \since 5.15
655
656 Searches all files in the \a path for certificates encoded in the
657 specified \a format and adds them to this socket's CA certificate
658 database. \a path must be a file or a pattern matching one or more
659 files, as specified by \a syntax. Returns \c true if one or more
660 certificates are added to the socket's CA certificate database;
661 otherwise returns \c false.
662
663 The CA certificate database is used by the socket during the
664 handshake phase to validate the peer's certificate.
665
666 For more precise control, use addCaCertificate().
667
668 \sa addCaCertificate(), QSslCertificate::fromPath()
669*/
670bool QSslConfiguration::addCaCertificates(const QString &path, QSsl::EncodingFormat format,
671 QSslCertificate::PatternSyntax syntax)
672{
673 QList<QSslCertificate> certs = QSslCertificate::fromPath(path, format, syntax);
674 if (certs.isEmpty())
675 return false;
676
677 d->caCertificates += certs;
678 return true;
679}
680
681/*!
682 \since 5.15
683
684 Adds \a certificate to this configuration's CA certificate database.
685 The certificate database must be set prior to the SSL handshake.
686 The CA certificate database is used by the socket during the
687 handshake phase to validate the peer's certificate.
688
689 \note The default configuration uses the system CA certificate database. If
690 that is not available (as is commonly the case on iOS), the default database
691 is empty.
692
693 \sa caCertificates(), setCaCertificates(), addCaCertificates()
694*/
695void QSslConfiguration::addCaCertificate(const QSslCertificate &certificate)
696{
697 d->caCertificates += certificate;
698 d->allowRootCertOnDemandLoading = false;
699}
700
701/*!
702 \since 5.15
703
704 Adds \a certificates to this configuration's CA certificate database.
705 The certificate database must be set prior to the SSL handshake.
706 The CA certificate database is used by the socket during the
707 handshake phase to validate the peer's certificate.
708
709 \note The default configuration uses the system CA certificate database. If
710 that is not available (as is commonly the case on iOS), the default database
711 is empty.
712
713 \sa caCertificates(), setCaCertificates(), addCaCertificate()
714*/
715void QSslConfiguration::addCaCertificates(const QList<QSslCertificate> &certificates)
716{
717 d->caCertificates += certificates;
718 d->allowRootCertOnDemandLoading = false;
719}
720
721/*!
722 \since 5.5
723
724 This function provides the CA certificate database
725 provided by the operating system. The CA certificate database
726 returned by this function is used to initialize the database
727 returned by caCertificates() on the default QSslConfiguration.
728
729 \sa caCertificates(), setCaCertificates(), defaultConfiguration(),
730 addCaCertificate(), addCaCertificates()
731*/
732QList<QSslCertificate> QSslConfiguration::systemCaCertificates()
733{
734 // we are calling ensureInitialized() in the method below
735 return QSslSocketPrivate::systemCaCertificates();
736}
737
738/*!
739 Enables or disables an SSL compatibility \a option. If \a on
740 is true, the \a option is enabled. If \a on is false, the
741 \a option is disabled.
742
743 \sa testSslOption()
744*/
745void QSslConfiguration::setSslOption(QSsl::SslOption option, bool on)
746{
747 d->sslOptions.setFlag(flag: option, on);
748}
749
750/*!
751 \since 4.8
752
753 Returns \c true if the specified SSL compatibility \a option is enabled.
754
755 \sa setSslOption()
756*/
757bool QSslConfiguration::testSslOption(QSsl::SslOption option) const
758{
759 return d->sslOptions & option;
760}
761
762/*!
763 \since 5.2
764
765 If QSsl::SslOptionDisableSessionPersistence was turned off, this
766 function returns the session ticket used in the SSL handshake in ASN.1
767 format, suitable to e.g. be persisted to disk. If no session ticket was
768 used or QSsl::SslOptionDisableSessionPersistence was not turned off,
769 this function returns an empty QByteArray.
770
771 \note When persisting the session ticket to disk or similar, be
772 careful not to expose the session to a potential attacker, as
773 knowledge of the session allows for eavesdropping on data
774 encrypted with the session parameters.
775
776 \sa setSessionTicket(), QSsl::SslOptionDisableSessionPersistence, setSslOption(), QSslSocket::newSessionTicketReceived()
777 */
778QByteArray QSslConfiguration::sessionTicket() const
779{
780 return d->sslSession;
781}
782
783/*!
784 \since 5.2
785
786 Sets the session ticket to be used in an SSL handshake.
787 QSsl::SslOptionDisableSessionPersistence must be turned off
788 for this to work, and \a sessionTicket must be in ASN.1 format
789 as returned by sessionTicket().
790
791 \sa sessionTicket(), QSsl::SslOptionDisableSessionPersistence, setSslOption(), QSslSocket::newSessionTicketReceived()
792 */
793void QSslConfiguration::setSessionTicket(const QByteArray &sessionTicket)
794{
795 d->sslSession = sessionTicket;
796}
797
798/*!
799 \since 5.2
800
801 If QSsl::SslOptionDisableSessionPersistence was turned off, this
802 function returns the session ticket life time hint sent by the
803 server (which might be 0).
804 If the server did not send a session ticket (e.g. when
805 resuming a session or when the server does not support it) or
806 QSsl::SslOptionDisableSessionPersistence was not turned off,
807 this function returns -1.
808
809 \sa sessionTicket(), QSsl::SslOptionDisableSessionPersistence, setSslOption(), QSslSocket::newSessionTicketReceived()
810 */
811int QSslConfiguration::sessionTicketLifeTimeHint() const
812{
813 return d->sslSessionTicketLifeTimeHint;
814}
815
816/*!
817 \since 5.7
818
819 Returns the ephemeral server key used for cipher algorithms
820 with forward secrecy, e.g. DHE-RSA-AES128-SHA.
821
822 The ephemeral key is only available when running in client mode, i.e.
823 QSslSocket::SslClientMode. When running in server mode or using a
824 cipher algorithm without forward secrecy a null key is returned.
825 The ephemeral server key will be set before emitting the encrypted()
826 signal.
827 */
828QSslKey QSslConfiguration::ephemeralServerKey() const
829{
830 return d->ephemeralServerKey;
831}
832
833/*!
834 \since 5.5
835
836 Returns this connection's current list of elliptic curves. This
837 list is used during the handshake phase for choosing an
838 elliptic curve (when using an elliptic curve cipher).
839 The returned list of curves is ordered by descending preference
840 (i.e., the first curve in the list is the most preferred one).
841
842 By default, the handshake phase can choose any of the curves
843 supported by this system's SSL libraries, which may vary from
844 system to system. The list of curves supported by this system's
845 SSL libraries is returned by QSslSocket::supportedEllipticCurves().
846
847 You can restrict the list of curves used for choosing the session cipher
848 for this socket by calling setEllipticCurves() with a subset of the
849 supported ciphers. You can revert to using the entire set by calling
850 setEllipticCurves() with the list returned by
851 QSslSocket::supportedEllipticCurves().
852
853 \sa setEllipticCurves
854 */
855QList<QSslEllipticCurve> QSslConfiguration::ellipticCurves() const
856{
857 return d->ellipticCurves;
858}
859
860/*!
861 \since 5.5
862
863 Sets the list of elliptic curves to be used by this socket to \a curves,
864 which must contain a subset of the curves in the list returned by
865 supportedEllipticCurves().
866
867 Restricting the elliptic curves must be done before the handshake
868 phase, where the session cipher is chosen.
869
870 \sa ellipticCurves
871 */
872void QSslConfiguration::setEllipticCurves(const QList<QSslEllipticCurve> &curves)
873{
874 d->ellipticCurves = curves;
875}
876
877/*!
878 \since 5.5
879
880 Returns the list of elliptic curves supported by this
881 system. This list is set by the system's SSL libraries and may
882 vary from system to system.
883
884 \sa ellipticCurves(), setEllipticCurves()
885*/
886QList<QSslEllipticCurve> QSslConfiguration::supportedEllipticCurves()
887{
888 return QSslSocketPrivate::supportedEllipticCurves();
889}
890
891/*!
892 \since 5.8
893
894 Returns the identity hint.
895
896 \sa setPreSharedKeyIdentityHint()
897*/
898QByteArray QSslConfiguration::preSharedKeyIdentityHint() const
899{
900 return d->preSharedKeyIdentityHint;
901}
902
903/*!
904 \since 5.8
905
906 Sets the identity hint for a preshared key authentication to \a hint. This will
907 affect the next initiated handshake; calling this function on an already-encrypted
908 socket will not affect the socket's identity hint.
909
910 The identity hint is used in QSslSocket::SslServerMode only!
911*/
912void QSslConfiguration::setPreSharedKeyIdentityHint(const QByteArray &hint)
913{
914 d->preSharedKeyIdentityHint = hint;
915}
916
917/*!
918 \since 5.8
919
920 Retrieves the current set of Diffie-Hellman parameters.
921
922 If no Diffie-Hellman parameters have been set, the QSslConfiguration object
923 defaults to using the 2048-bit MODP group from RFC 3526.
924
925 \note The default parameters may change in future Qt versions.
926 Please check the documentation of the \e{exact Qt version} that you
927 are using in order to know what defaults that version uses.
928 */
929QSslDiffieHellmanParameters QSslConfiguration::diffieHellmanParameters() const
930{
931 return d->dhParams;
932}
933
934/*!
935 \since 5.8
936
937 Sets a custom set of Diffie-Hellman parameters to be used by this socket when functioning as
938 a server to \a dhparams.
939
940 If no Diffie-Hellman parameters have been set, the QSslConfiguration object
941 defaults to using the 2048-bit MODP group from RFC 3526.
942
943 Since 6.7 you can provide an empty Diffie-Hellman parameter to use auto selection
944 (see SSL_CTX_set_dh_auto of openssl) if the tls backend supports it.
945
946 \note The default parameters may change in future Qt versions.
947 Please check the documentation of the \e{exact Qt version} that you
948 are using in order to know what defaults that version uses.
949 */
950void QSslConfiguration::setDiffieHellmanParameters(const QSslDiffieHellmanParameters &dhparams)
951{
952 d->dhParams = dhparams;
953}
954
955/*!
956 \since 5.11
957
958 Returns the backend-specific configuration.
959
960 Only options set by setBackendConfigurationOption() or setBackendConfiguration() will be
961 returned. The internal standard configuration of the backend is not reported.
962
963 \sa setBackendConfigurationOption(), setBackendConfiguration()
964 */
965QMap<QByteArray, QVariant> QSslConfiguration::backendConfiguration() const
966{
967 return d->backendConfig;
968}
969
970/*!
971 \since 5.11
972
973 Sets the option \a name in the backend-specific configuration to \a value.
974
975 Options supported by the OpenSSL (>= 1.0.2) backend are available in the \l
976 {https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS}
977 {supported configuration file commands} documentation. The expected type for
978 the \a value parameter is a QByteArray for all options. The \l
979 {https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#EXAMPLES}{examples}
980 show how to use some of the options.
981
982 \note The backend-specific configuration will be applied after the general
983 configuration. Using the backend-specific configuration to set a general
984 configuration option again will overwrite the general configuration option.
985
986 \sa backendConfiguration(), setBackendConfiguration()
987 */
988void QSslConfiguration::setBackendConfigurationOption(const QByteArray &name, const QVariant &value)
989{
990 d->backendConfig[name] = value;
991}
992
993/*!
994 \since 5.11
995
996 Sets or clears the backend-specific configuration.
997
998 Without a \a backendConfiguration parameter this function will clear the
999 backend-specific configuration. More information about the supported
1000 options is available in the documentation of setBackendConfigurationOption().
1001
1002 \sa backendConfiguration(), setBackendConfigurationOption()
1003 */
1004void QSslConfiguration::setBackendConfiguration(const QMap<QByteArray, QVariant> &backendConfiguration)
1005{
1006 d->backendConfig = backendConfiguration;
1007}
1008
1009/*!
1010 \since 5.3
1011
1012 This function returns the protocol negotiated with the server
1013 if the Next Protocol Negotiation (NPN) or Application-Layer Protocol
1014 Negotiation (ALPN) TLS extension was enabled.
1015 In order for the NPN/ALPN extension to be enabled, setAllowedNextProtocols()
1016 needs to be called explicitly before connecting to the server.
1017
1018 If no protocol could be negotiated or the extension was not enabled,
1019 this function returns a QByteArray which is null.
1020
1021 \sa setAllowedNextProtocols(), nextProtocolNegotiationStatus()
1022 */
1023QByteArray QSslConfiguration::nextNegotiatedProtocol() const
1024{
1025 return d->nextNegotiatedProtocol;
1026}
1027
1028/*!
1029 \since 5.3
1030
1031 This function sets the allowed \a protocols to be negotiated with the
1032 server through the Next Protocol Negotiation (NPN) or Application-Layer
1033 Protocol Negotiation (ALPN) TLS extension; each
1034 element in \a protocols must define one allowed protocol.
1035 The function must be called explicitly before connecting to send the NPN/ALPN
1036 extension in the SSL handshake.
1037 Whether or not the negotiation succeeded can be queried through
1038 nextProtocolNegotiationStatus().
1039
1040 \sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), allowedNextProtocols(), QSslConfiguration::NextProtocolHttp1_1
1041 */
1042void QSslConfiguration::setAllowedNextProtocols(const QList<QByteArray> &protocols)
1043{
1044 d->nextAllowedProtocols = protocols;
1045}
1046
1047/*!
1048 \since 5.3
1049
1050 This function returns the allowed protocols to be negotiated with the
1051 server through the Next Protocol Negotiation (NPN) or Application-Layer
1052 Protocol Negotiation (ALPN) TLS extension, as set by setAllowedNextProtocols().
1053
1054 \sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), setAllowedNextProtocols(), QSslConfiguration::NextProtocolHttp1_1
1055 */
1056QList<QByteArray> QSslConfiguration::allowedNextProtocols() const
1057{
1058 return d->nextAllowedProtocols;
1059}
1060
1061/*!
1062 \since 5.3
1063
1064 This function returns the status of the Next Protocol Negotiation (NPN)
1065 or Application-Layer Protocol Negotiation (ALPN).
1066 If the feature has not been enabled through setAllowedNextProtocols(),
1067 this function returns NextProtocolNegotiationNone.
1068 The status will be set before emitting the encrypted() signal.
1069
1070 \sa setAllowedNextProtocols(), allowedNextProtocols(), nextNegotiatedProtocol(), QSslConfiguration::NextProtocolNegotiationStatus
1071 */
1072QSslConfiguration::NextProtocolNegotiationStatus QSslConfiguration::nextProtocolNegotiationStatus() const
1073{
1074 return d->nextProtocolNegotiationStatus;
1075}
1076
1077/*!
1078 Returns the default SSL configuration to be used in new SSL
1079 connections.
1080
1081 The default SSL configuration consists of:
1082
1083 \list
1084 \li no local certificate and no private key
1085 \li protocol \l{QSsl::SecureProtocols}{SecureProtocols}
1086 \li the system's default CA certificate list
1087 \li the cipher list equal to the list of the SSL libraries'
1088 supported SSL ciphers that are 128 bits or more
1089 \endlist
1090
1091 \sa supportedCiphers(), setDefaultConfiguration()
1092*/
1093QSslConfiguration QSslConfiguration::defaultConfiguration()
1094{
1095 return QSslConfigurationPrivate::defaultConfiguration();
1096}
1097
1098/*!
1099 Sets the default SSL configuration to be used in new SSL
1100 connections to be \a configuration. Existing connections are not
1101 affected by this call.
1102
1103 \sa supportedCiphers(), defaultConfiguration()
1104*/
1105void QSslConfiguration::setDefaultConfiguration(const QSslConfiguration &configuration)
1106{
1107 QSslConfigurationPrivate::setDefaultConfiguration(configuration);
1108}
1109
1110#if QT_CONFIG(dtls) || defined(Q_QDOC)
1111
1112/*!
1113 This function returns true if DTLS cookie verification was enabled on a
1114 server-side socket.
1115
1116 \sa setDtlsCookieVerificationEnabled()
1117 */
1118bool QSslConfiguration::dtlsCookieVerificationEnabled() const
1119{
1120 return d->dtlsCookieEnabled;
1121}
1122
1123/*!
1124 This function enables DTLS cookie verification when \a enable is true.
1125
1126 \sa dtlsCookieVerificationEnabled()
1127 */
1128void QSslConfiguration::setDtlsCookieVerificationEnabled(bool enable)
1129{
1130 d->dtlsCookieEnabled = enable;
1131}
1132
1133/*!
1134 Returns the default DTLS configuration to be used in new DTLS
1135 connections.
1136
1137 The default DTLS configuration consists of:
1138
1139 \list
1140 \li no local certificate and no private key
1141 \li protocol DtlsV1_2OrLater
1142 \li the system's default CA certificate list
1143 \li the cipher list equal to the list of the SSL libraries'
1144 supported TLS 1.2 ciphers that use 128 or more secret bits
1145 for the cipher.
1146 \endlist
1147
1148 \sa setDefaultDtlsConfiguration()
1149*/
1150QSslConfiguration QSslConfiguration::defaultDtlsConfiguration()
1151{
1152 return QSslConfigurationPrivate::defaultDtlsConfiguration();
1153}
1154
1155/*!
1156 Sets the default DTLS configuration to be used in new DTLS
1157 connections to be \a configuration. Existing connections are not
1158 affected by this call.
1159
1160 \sa defaultDtlsConfiguration()
1161*/
1162void QSslConfiguration::setDefaultDtlsConfiguration(const QSslConfiguration &configuration)
1163{
1164 QSslConfigurationPrivate::setDefaultDtlsConfiguration(configuration);
1165}
1166
1167#endif // dtls
1168
1169/*!
1170 \since 5.13
1171 If \a enabled is true, client QSslSocket will send a certificate status request
1172 to its peer when initiating a handshake. During the handshake QSslSocket will
1173 verify the server's response. This value must be set before the handshake
1174 starts.
1175
1176 \sa ocspStaplingEnabled()
1177*/
1178void QSslConfiguration::setOcspStaplingEnabled(bool enabled)
1179{
1180#if QT_CONFIG(ocsp)
1181 d->ocspStaplingEnabled = enabled;
1182#else
1183 if (enabled)
1184 qCWarning(lcSsl, "Enabling OCSP-stapling requires the feature 'ocsp'");
1185#endif // ocsp
1186}
1187
1188/*!
1189 \since 5.13
1190 Returns true if OCSP stapling was enabled by setOCSPStaplingEnabled(),
1191 otherwise false (which is the default value).
1192
1193 \sa setOcspStaplingEnabled()
1194*/
1195bool QSslConfiguration::ocspStaplingEnabled() const
1196{
1197 return d->ocspStaplingEnabled;
1198}
1199
1200/*!
1201 \since 6.0
1202
1203 Returns true if a verification callback will emit QSslSocket::handshakeInterruptedOnError()
1204 early, before concluding the handshake.
1205
1206 \note This function always returns false for all backends but OpenSSL.
1207
1208 \sa setHandshakeMustInterruptOnError(), QSslSocket::handshakeInterruptedOnError(), QSslSocket::continueInterruptedHandshake()
1209*/
1210bool QSslConfiguration::handshakeMustInterruptOnError() const
1211{
1212 return d->reportFromCallback;
1213}
1214
1215/*!
1216 \since 6.0
1217
1218 If \a interrupt is true and the underlying backend supports this option,
1219 errors found during certificate verification are reported immediately
1220 by emitting QSslSocket::handshakeInterruptedOnError(). This allows
1221 to stop the unfinished handshake and send a proper alert message to
1222 a peer. No special action is required from the application in this case.
1223 QSslSocket will close the connection after sending the alert message.
1224 If the application after inspecting the error wants to continue the
1225 handshake, it must call QSslSocket::continueInterruptedHandshake()
1226 from its slot function. The signal-slot connection must be direct.
1227
1228 \note When interrupting handshake is enabled, errors that would otherwise
1229 be reported by QSslSocket::peerVerifyError() are instead only reported by
1230 QSslSocket::handshakeInterruptedOnError().
1231 \note Even if the handshake was continued, these errors will be
1232 reported when emitting QSslSocket::sslErrors() signal (and thus must
1233 be ignored in the corresponding function slot).
1234
1235 \sa handshakeMustInterruptOnError(), QSslSocket::handshakeInterruptedOnError(), QSslSocket::continueInterruptedHandshake()
1236*/
1237void QSslConfiguration::setHandshakeMustInterruptOnError(bool interrupt)
1238{
1239#if QT_CONFIG(openssl)
1240 d->reportFromCallback = interrupt;
1241#else
1242 Q_UNUSED(interrupt);
1243 qCWarning(lcSsl, "This operation requires OpenSSL as TLS backend");
1244#endif
1245}
1246
1247/*!
1248 \since 6.0
1249
1250 Returns true if errors with code QSslError::NoPeerCertificate
1251 cannot be ignored.
1252
1253 \note Always returns false for all TLS backends but OpenSSL.
1254
1255 \sa QSslSocket::ignoreSslErrors(), setMissingCertificateIsFatal()
1256*/
1257bool QSslConfiguration::missingCertificateIsFatal() const
1258{
1259 return d->missingCertIsFatal;
1260}
1261
1262/*!
1263 \since 6.0
1264
1265 If \a cannotRecover is true, and verification mode in use is
1266 QSslSocket::VerifyPeer or QSslSocket::AutoVerifyPeer (for a
1267 client-side socket), the missing peer's certificate would be
1268 treated as an unrecoverable error that cannot be ignored. A proper
1269 alert message will be sent to the peer before closing the connection.
1270
1271 \note Only available if Qt was configured and built with OpenSSL backend.
1272
1273 \sa QSslSocket::ignoreSslErrors(), QSslSocket::PeerVerifyMode, missingCertificateIsFatal()
1274*/
1275void QSslConfiguration::setMissingCertificateIsFatal(bool cannotRecover)
1276{
1277#if QT_CONFIG(openssl)
1278 d->missingCertIsFatal = cannotRecover;
1279#else
1280 Q_UNUSED(cannotRecover);
1281 qCWarning(lcSsl, "Handling a missing certificate as a fatal error requires an OpenSSL backend");
1282#endif // openssl
1283}
1284
1285/*! \internal
1286*/
1287bool QSslConfigurationPrivate::peerSessionWasShared(const QSslConfiguration &configuration) {
1288 return configuration.d->peerSessionShared;
1289 }
1290
1291QT_END_NAMESPACE
1292

Provided by KDAB

Privacy Policy
Learn to use CMake with our Intro Training
Find out more

source code of qtbase/src/network/ssl/qsslconfiguration.cpp