Exemple #1
0
SslServer::SslServer(QObject *parent)
    : QTcpServer(parent),
    _isCertValid(false)
{
    // Keep track if the SSL warning has been mentioned at least once before
    static bool sslWarningShown = false;

    if(Quassel::isOptionSet("ssl-cert")) {
        _sslCertPath = Quassel::optionValue("ssl-cert");
    } else {
        _sslCertPath = Quassel::configDirPath() + "quasselCert.pem";
    }

    if(Quassel::isOptionSet("ssl-key")) {
        _sslKeyPath = Quassel::optionValue("ssl-key");
    } else {
        _sslKeyPath = _sslCertPath;
    }

    // Initialize the certificates for first-time usage
    if (!loadCerts()) {
        if (!sslWarningShown) {
            quWarning()
            << "SslServer: Unable to set certificate file\n"
            << "          Quassel Core will still work, but cannot provide SSL for client connections.\n"
            << "          Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support.";
            sslWarningShown = true;
        }
    }
}
Exemple #2
0
bool SslServer::setCertificate(const QString &path)
{
    _isCertValid = false;

    if (path.isEmpty())
        return false;

    QFile certFile(path);
    if (!certFile.exists()) {
        quWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist";
        return false;
    }

    if (!certFile.open(QIODevice::ReadOnly)) {
        quWarning()
        << "SslServer: Failed to open certificate file" << qPrintable(path)
        << "error:" << certFile.error();
        return false;
    }

    QList<QSslCertificate> certList = QSslCertificate::fromDevice(&certFile);

    if (certList.isEmpty()) {
        quWarning() << "SslServer: Certificate file doesn't contain a certificate";
        return false;
    }

    _cert = certList[0];
    certList.removeFirst(); // remove server cert

    // store CA and intermediates certs
    _ca = certList;

    if (!certFile.reset()) {
        quWarning() << "SslServer: IO error reading certificate file";
        return false;
    }

    _key = QSslKey(&certFile, QSsl::Rsa);
    certFile.close();

    if (_cert.isNull()) {
        quWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data";
        return false;
    }
    if (!_cert.isValid()) {
        quWarning() << "SslServer: Invalid certificate (most likely expired)";
        // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid.
    }
    if (_key.isNull()) {
        quWarning() << "SslServer:" << qPrintable(path) << "contains no key data";
        return false;
    }

    _isCertValid = true;

    return _isCertValid;
}
Exemple #3
0
bool SslServer::reloadCerts()
{
    if (loadCerts()) {
        return true;
    } else {
        // Reloading certificates currently only occur in response to a request.  Always print an
        // error if something goes wrong, in order to simplify checking if it's working.
        if (isCertValid()) {
            quWarning()
            << "SslServer: Unable to reload certificate file, reverting\n"
            << "          Quassel Core will use the previous key to provide SSL for client connections.\n"
            << "          Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support.";
        } else {
            quWarning()
            << "SslServer: Unable to reload certificate file\n"
            << "          Quassel Core will still work, but cannot provide SSL for client connections.\n"
            << "          Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support.";
        }
        return false;
    }
}
Exemple #4
0
SslServer::SslServer(QObject *parent)
    : QTcpServer(parent),
    _isCertValid(false)
{
    static bool sslWarningShown = false;
    if (!setCertificate(Quassel::configDirPath() + "quasselCert.pem")) {
        if (!sslWarningShown) {
            quWarning()
            << "SslServer: Unable to set certificate file\n"
            << "          Quassel Core will still work, but cannot provide SSL for client connections.\n"
            << "          Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support.";
            sslWarningShown = true;
        }
    }
}
Exemple #5
0
bool SslServer::setCertificate(const QString &path, const QString &keyPath)
{
    // Don't reset _isCertValid here, in case an older but valid certificate is still loaded.
    // Use temporary variables in order to avoid overwriting the existing certificates until
    // everything is confirmed good.
    QSslCertificate untestedCert;
    QList<QSslCertificate> untestedCA;
    QSslKey untestedKey;

    if (path.isEmpty())
        return false;

    QFile certFile(path);
    if (!certFile.exists()) {
        quWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist";
        return false;
    }

    if (!certFile.open(QIODevice::ReadOnly)) {
        quWarning()
        << "SslServer: Failed to open certificate file" << qPrintable(path)
        << "error:" << certFile.error();
        return false;
    }

    QList<QSslCertificate> certList = QSslCertificate::fromDevice(&certFile);

    if (certList.isEmpty()) {
        quWarning() << "SslServer: Certificate file doesn't contain a certificate";
        return false;
    }

    untestedCert = certList[0];
    certList.removeFirst(); // remove server cert

    // store CA and intermediates certs
    untestedCA = certList;

    if (!certFile.reset()) {
        quWarning() << "SslServer: IO error reading certificate file";
        return false;
    }

    // load key from keyPath if it differs from path, otherwise load key from path
    if(path != keyPath) {
        QFile keyFile(keyPath);
        if(!keyFile.exists()) {
            quWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist";
            return false;
        }

        if (!keyFile.open(QIODevice::ReadOnly)) {
            quWarning()
            << "SslServer: Failed to open key file" << qPrintable(keyPath)
            << "error:" << keyFile.error();
            return false;
        }

        untestedKey = QSslKey(&keyFile, QSsl::Rsa);
        keyFile.close();
    } else {
        untestedKey = QSslKey(&certFile, QSsl::Rsa);
    }

    certFile.close();

    if (untestedCert.isNull()) {
        quWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data";
        return false;
    }

    // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid.
    const QDateTime now = QDateTime::currentDateTime();
    if (now < untestedCert.effectiveDate())
        quWarning() << "SslServer: Certificate won't be valid before" << untestedCert.effectiveDate().toString();

    else if (now > untestedCert.expiryDate())
        quWarning() << "SslServer: Certificate expired on" << untestedCert.expiryDate().toString();

    else { // Qt4's isValid() checks for time range and blacklist; avoid a double warning, hence the else block
#if QT_VERSION < 0x050000
        if (!untestedCert.isValid())
#else
        if (untestedCert.isBlacklisted())
#endif
            quWarning() << "SslServer: Certificate blacklisted";
    }
    if (untestedKey.isNull()) {
        quWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data";
        return false;
    }

    _isCertValid = true;

    // All keys are valid, update the externally visible copy used for new connections.
    _cert = untestedCert;
    _ca = untestedCA;
    _key = untestedKey;

    return _isCertValid;
}
Exemple #6
0
bool SslServer::setCertificate(const QString &path)
{
    _isCertValid = false;

    if (path.isEmpty())
        return false;

    QFile certFile(path);
    if (!certFile.exists()) {
        quWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist";
        return false;
    }

    if (!certFile.open(QIODevice::ReadOnly)) {
        quWarning()
        << "SslServer: Failed to open certificate file" << qPrintable(path)
        << "error:" << certFile.error();
        return false;
    }

    QList<QSslCertificate> certList = QSslCertificate::fromDevice(&certFile);

    if (certList.isEmpty()) {
        quWarning() << "SslServer: Certificate file doesn't contain a certificate";
        return false;
    }

    _cert = certList[0];
    certList.removeFirst(); // remove server cert

    // store CA and intermediates certs
    _ca = certList;

    if (!certFile.reset()) {
        quWarning() << "SslServer: IO error reading certificate file";
        return false;
    }

    _key = QSslKey(&certFile, QSsl::Rsa);
    certFile.close();

    if (_cert.isNull()) {
        quWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data";
        return false;
    }

    // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid.
    const QDateTime now = QDateTime::currentDateTime();
    if (now < _cert.effectiveDate())
        quWarning() << "SslServer: Certificate won't be valid before" << _cert.effectiveDate().toString();

    else if (now > _cert.expiryDate())
        quWarning() << "SslServer: Certificate expired on" << _cert.expiryDate().toString();

    else { // Qt4's isValid() checks for time range and blacklist; avoid a double warning, hence the else block
#if QT_VERSION < 0x050000
        if (!_cert.isValid())
#else
        if (_cert.isBlacklisted())
#endif
            quWarning() << "SslServer: Certificate blacklisted";
    }
    if (_key.isNull()) {
        quWarning() << "SslServer:" << qPrintable(path) << "contains no key data";
        return false;
    }

    _isCertValid = true;

    return _isCertValid;
}