Enable support for modern SSL (ariya#12524).

* --ssl-protocol= option now accepts 'tlsv1.2', 'tlsv1.1', 'tlsv1.0' and 'default' as well as the existing 'tlsv1', 'sslv3', and 'any'. * The default is now none of the above, but rather QSsl::SecureProtocols, which means "whatever subset of ANY is still considered secure and also supported by the OpenSSL library in use". (As of this writing, Qt's idea of "still considered secure" includes everything from SSLv3 on up, which is technically wrong -- SSLv3 has known breaks -- but we can live with. Qt currently doesn't have a way to select "TLSv1.0 and up".) Conflicts: src/networkaccessmanager.cpp
Work4Labs · Oct 15, 2014 · 6288878 · 6288878
1 parent adaef21
commit 6288878
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 12 deletions.
diff --git a/src/config.cpp b/src/config.cpp
@@ -66,7 +66,7 @@ static const struct QCommandLineConfigEntry flags[] =
     { QCommandLine::Option, '\0', "proxy-type", "Specifies the proxy type, 'http' (default), 'none' (disable completely), or 'socks5'", QCommandLine::Optional },
     { QCommandLine::Option, '\0', "script-encoding", "Sets the encoding used for the starting script, default is 'utf8'", QCommandLine::Optional },
     { QCommandLine::Option, '\0', "web-security", "Enables web security, 'true' (default) or 'false'", QCommandLine::Optional },
-    { QCommandLine::Option, '\0', "ssl-protocol", "Sets the SSL protocol (supported protocols: 'SSLv3' (default), 'SSLv2', 'TLSv1', 'any')", QCommandLine::Optional },
+    { QCommandLine::Option, '\0', "ssl-protocol", "Selects a specific SSL protocol version to offer. Values (case insensitive): TLSv1.2, TLSv1.1, TLSv1.0, TLSv1 (same as v1.0), SSLv3, or ANY. Default is to offer all that Qt thinks are secure (SSLv3 and up). Not all values may be supported, depending on the system OpenSSL library.", QCommandLine::Optional },
     { QCommandLine::Option, '\0', "ssl-certificates-path", "Sets the location for custom CA certificates (if none set, uses system default)", QCommandLine::Optional },
     { QCommandLine::Option, '\0', "webdriver", "Starts in 'Remote WebDriver mode' (embedded GhostDriver): '[[<IP>:]<PORT>]' (default '127.0.0.1:8910') ", QCommandLine::Optional },
     { QCommandLine::Option, '\0', "webdriver-logfile", "File where to write the WebDriver's Log (default 'none') (NOTE: needs '--webdriver') ", QCommandLine::Optional },
@@ -539,7 +539,7 @@ void Config::resetToDefaults()
     m_javascriptCanCloseWindows = true;
     m_helpFlag = false;
     m_printDebugMessages = false;
-    m_sslProtocol = "sslv3";
+    m_sslProtocol = "default";
     m_sslCertificatesPath.clear();
     m_webdriverIp = QString();
     m_webdriverPort = QString();

diff --git a/src/networkaccessmanager.cpp b/src/networkaccessmanager.cpp
@@ -97,6 +97,21 @@ void JsNetworkRequest::changeUrl(const QString& address)
     }
 }
 
+struct ssl_protocol_option {
+  const char* name;
+  QSsl::SslProtocol proto;
+};
+const ssl_protocol_option ssl_protocol_options[] = {
+  { "default", QSsl::SecureProtocols },
+  { "tlsv1.2", QSsl::TlsV1_2 },
+  { "tlsv1.1", QSsl::TlsV1_1 },
+  { "tlsv1.0", QSsl::TlsV1_0 },
+  { "tlsv1",   QSsl::TlsV1_0 },
+  { "sslv3",   QSsl::SslV3 },
+  { "any",     QSsl::AnyProtocol },
+  { 0,         QSsl::UnknownProtocol }
+};
+
 // public:
 NetworkAccessManager::NetworkAccessManager(QObject *parent, const Config *config)
     : QNetworkAccessManager(parent)
@@ -125,15 +140,19 @@ NetworkAccessManager::NetworkAccessManager(QObject *parent, const Config *config
             m_sslConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone);
         }
 
-        // set the SSL protocol to SSLv3 by the default
-        m_sslConfiguration.setProtocol(QSsl::SslV3);
-
-        if (config->sslProtocol() == "sslv2") {
-            m_sslConfiguration.setProtocol(QSsl::SslV2);
-        } else if (config->sslProtocol() == "tlsv1") {
-            m_sslConfiguration.setProtocol(QSsl::TlsV1);
-        } else if (config->sslProtocol() == "any") {
-            m_sslConfiguration.setProtocol(QSsl::AnyProtocol);
+        bool setProtocol = false;
+        for (const ssl_protocol_option *proto_opt = ssl_protocol_options;
+             proto_opt->name;
+             proto_opt++) {
+            if (config->sslProtocol() == proto_opt->name) {
+                m_sslConfiguration.setProtocol(proto_opt->proto);
+                setProtocol = true;
+                break;
+            }
+        }
+        // FIXME: actually object to an invalid setting.
+        if (!setProtocol) {
+            m_sslConfiguration.setProtocol(QSsl::SecureProtocols);
         }
 
         if (!config->sslCertificatesPath().isEmpty()) {
@@ -292,7 +311,7 @@ void NetworkAccessManager::handleStarted()
         return;
 
     m_started += reply;
-    
+
     QVariantList headers;
     foreach (QByteArray headerName, reply->rawHeaderList()) {
         QVariantMap header;