If the certificate didn't change then our trust in it didn't either.
Sadly, cannot have an autotest because we don't have any way
to facilitate a renegotiation at the moment and with TLS 1.3
not having them at all it's unlikely we ever will.
Pick-to: 6.2 5.15
Task-number: QTBUG-92231
Change-Id: Ibaa9b2f627daca05021c574e69526710aacdadae
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
It's a workaround for the workaround...
If TLS 1.3 was explicitly chosen and the PSK callback is set then
without this patch the callback is never called since, with TLS 1.3, PSK
would only be queried once at the start of a connection.
It can now be re-enabled with an environment variable. A new API should
be added to address the new requirements of PSK with TLS 1.3:
For session resumption the connection MUST use the same hash algorithm
as in the original session. For new sessions the hash algorithm must be
decided ahead of time, or a default will be used (as defined by the
standard). A user can also pass along multiple identity+key pairs and
the server will pick one it recognizes. This is not something we can
currently do with the preSharedKeyAuthenticationRequired callback.
[ChangeLog][Network][QSslSocket][OpenSSL] When using TLS 1.3 we
suppress the first callback from OpenSSL about pre-shared keys, as it
doesn't conform to the past behavior which
preSharedKeyAuthenticationRequired provided. With this update you can
opt-out of that workaround by setting the QT_USE_TLS_1_3_PSK environment
variable
Pick-to: 6.2 6.1 5.15
Task-number: QTBUG-95670
Change-Id: Ia7454bbbf394cbcb859de333b371d0890b42a1c3
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
... instead of QSharedPointer.
QSharedPointer performs twice as many atomic operations per pointer
copy as std::shared_ptr, and this is private API, we're not bound by
BC constraints, so we can port to the more efficient version.
Change-Id: I2e2a02493565a7ca51c86ec0ed66b6ce7c763e41
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
In preparation of porting to shared_ptr.
Add a few strategic moves and remove a rather pointless comment
stating the obvious.
Change-Id: Ie1c0f3431af79bdb204e00d99323bf9f2d100d0d
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
As per the best practice laid forth in RFC-8996.
TLS 1.2 was recommended from 2008 until TLS 1.3 was released in 2018.
[ChangeLog][QtNetwork][QSslSocket] TLS 1.0, 1.1 and DTLS 1.0 are now
deprecated, as recommended by RFC-8996.
Fixes: QTBUG-92880
Change-Id: I90cebcfb07cfce623af7ac9f2b66ce9d02586b54
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Since we're no longer connected, much less encrypted.
Was done in schannel backend, but not in ST or OpenSSL
Pick-to: 6.2
Change-Id: Ia49387be0088f899a0c89091f7e468dba1c0eee6
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
All TLS (and non-TLS) backends that QSsl classes rely
on are now in plugins/tls (as openssl, securetransport,
schannel and certonly plugins).
For now, I have to disable some tests that were using OpenSSL
calls - this to be refactored/re-thought. These include:
qsslsocket auto-test (test-case where we work with private keys),
qsslkey auto-test (similar to qsslsocket - test-case working with
keys using OpenSSL calls).
qasn1element moved to plugins too, so its auto-test have to
be re-thought.
Since now we can have more than one working TLS-backend on a given
platform, the presence of OpenSSL also means I force this backend
as active before running tests, to make sure features implemented
only in OpenSSL-backend are tested.
OCSP auto test is disabled for now, since it heavily relies on
OpenSSL symbols (to be refactored).
[ChangeLog][QtNetwork][QSslSocket] QSslSocket by default prefers 'openssl' backend
if it is available.
[ChangeLog][QtNetwork][QSslSocket] TLS-backends are not mutually exclusive anymore,
depending on a platform, more than one TLS backend can be built. E.g., configuring
Qt with -openssl does not prevent SecureTransport or Schannel plugin from being
built.
Fixes: QTBUG-91928
Change-Id: I4c05e32f10179066bee3a518bdfdd6c4b15320c3
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Sona Kurazyan
Mårten Nordheim
Jonas Kvinge
Marc Mutz
Timur Pocheptsov