34 lines
1.5 KiB
Diff
34 lines
1.5 KiB
Diff
$OpenBSD: patch-src_network_ssl_qsslsocket_openssl_cpp,v 1.4 2016/01/06 17:17:32 zhuk Exp $
|
|
1. Disable SSLv3 by default.
|
|
2. TLSv1_*_method() are TLSv1.0-only, so default to SSLv23_*_method(), which is
|
|
actually TLSv1.* nowadays.
|
|
2a. Make QSsl::TlsV1 also use SSLv23_*_method(), noone in good mind would
|
|
want to run TLSv1.0-only connections, and too many developers fail
|
|
same way due to bad naming.
|
|
|
|
--- qt-everywhere-opensource-src-4.8.7/src/network/ssl/qsslsocket_openssl.cpp.orig Thu May 7 17:14:44 2015
|
|
+++ qt-everywhere-opensource-src-4.8.7/src/network/ssl/qsslsocket_openssl.cpp Wed Jan 6 20:10:23 2016
|
|
@@ -267,16 +267,18 @@ init_context:
|
|
#endif
|
|
break;
|
|
case QSsl::SslV3:
|
|
+#ifndef OPENSSL_NO_SSL3
|
|
ctx = q_SSL_CTX_new(client ? q_SSLv3_client_method() : q_SSLv3_server_method());
|
|
+#else
|
|
+ ctx = 0; // SSL 3 not supported by the system, but chosen deliberately -> error
|
|
+#endif
|
|
break;
|
|
- case QSsl::SecureProtocols: // SslV2 will be disabled below
|
|
- case QSsl::TlsV1SslV3: // SslV2 will be disabled below
|
|
case QSsl::AnyProtocol:
|
|
+ case QSsl::SecureProtocols:
|
|
+ case QSsl::TlsV1SslV3:
|
|
+ case QSsl::TlsV1: // this is TLSv1.0 only case, but misused as TLSv1.x too often
|
|
default:
|
|
ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method());
|
|
- break;
|
|
- case QSsl::TlsV1:
|
|
- ctx = q_SSL_CTX_new(client ? q_TLSv1_client_method() : q_TLSv1_server_method());
|
|
break;
|
|
}
|
|
if (!ctx) {
|