On Sat, Jan 28, 2017 at 12:16 AM, Jason A. Donenfeld wrote:
> Hi,
>
> The file src/network/ssl/qsslsocket_mac.cpp contains a nasty bug
> preventing the use of setProtocol(QSsl::TlsV1_2OrLater):
>
> bool QSslSocketBackendPrivate::verifySessionProtocol() const
> {
>bool protocolOk = false;
>if (configuration.protocol == QSsl::AnyProtocol)
>protocolOk = true;
>else if (configuration.protocol == QSsl::TlsV1SslV3)
>protocolOk = (sessionProtocol() >= QSsl::SslV3);
>else if (configuration.protocol == QSsl::SecureProtocols)
>protocolOk = (sessionProtocol() >= QSsl::TlsV1_0);
>else
>protocolOk = (sessionProtocol() == configuration.protocol);
>
>return protocolOk;
> }
>
> In the else clause, it checks for equality between sessionProtocol()
> and the configuration protocol. If the configuration protocol is
> *OrLater, this will always be false, and so verification will never
> succeed. And indeed, sessionProtocol() never returns an OrLater
> response:
>
> switch (protocol) {
>case kSSLProtocol2:
>return QSsl::SslV2;
>case kSSLProtocol3:
>return QSsl::SslV3;
>case kTLSProtocol1:
>return QSsl::TlsV1_0;
>case kTLSProtocol11:
>return QSsl::TlsV1_1;
>case kTLSProtocol12:
>return QSsl::TlsV1_2;
>default:
>return QSsl::UnknownProtocol;
>}
>
> The solution is to properly match the OrLaters and use the usual >=
> comparison.
>
> A current workaround is to hard code the SSL version and not use an
> OrLater, which is a bummer. Please fix and backport to LTS.
>
> Thanks,
> Jason
> ___
> Development mailing list
> Development@qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development
Hi Jason,
Thanks for reporting this.
I'm working on fixing it here (currently WIP):
https://codereview.qt-project.org/#/c/183781/
Thanks,
Mikkel
___
Development mailing list
Development@qt-project.org
http://lists.qt-project.org/mailman/listinfo/development
