bool KIO::Integration::sslConfigFromMetaData(const KIO::MetaData& metadata, QSslConfiguration& sslconfig) { bool success = false; if (metadata.contains(QL1S("ssl_in_use"))) { const QSsl::SslProtocol sslProto = qSslProtocolFromString(metadata.value(QL1S("ssl_protocol_version"))); QList<QSslCipher> cipherList; cipherList << QSslCipher(metadata.value(QL1S("ssl_cipher_name")), sslProto); sslconfig.setCaCertificates(QSslCertificate::fromData(metadata.value(QL1S("ssl_peer_chain")).toUtf8())); sslconfig.setCiphers(cipherList); sslconfig.setProtocol(sslProto); success = sslconfig.isNull(); } return success; }
EnginioClientConnectionPrivate::EnginioClientConnectionPrivate() : _identity(), _serviceUrl(EnginioString::apiEnginIo), _networkManager(), _uploadChunkSize(512 * 1024), _authenticationState(Enginio::NotAuthenticated) { assignNetworkManager(); #if defined(ENGINIO_VALGRIND_DEBUG) QSslConfiguration conf = QSslConfiguration::defaultConfiguration(); conf.setCiphers(QList<QSslCipher>() << QSslCipher(QStringLiteral("ECDHE-RSA-DES-CBC3-SHA"), QSsl::SslV3)); _request.setSslConfiguration(conf); #endif _request.setHeader(QNetworkRequest::ContentTypeHeader, QStringLiteral("application/json")); }
void LanLinkProvider::configureSslSocket(QSslSocket* socket, const QString& deviceId, bool isDeviceTrusted) { // Setting supported ciphers manually // Top 3 ciphers are for new Android devices, botton two are for old Android devices // FIXME : These cipher suites should be checked whether they are supported or not on device QList<QSslCipher> socketCiphers; socketCiphers.append(QSslCipher(QStringLiteral("ECDHE-ECDSA-AES256-GCM-SHA384"))); socketCiphers.append(QSslCipher(QStringLiteral("ECDHE-ECDSA-AES128-GCM-SHA256"))); socketCiphers.append(QSslCipher(QStringLiteral("ECDHE-RSA-AES128-SHA"))); socketCiphers.append(QSslCipher(QStringLiteral("RC4-SHA"))); socketCiphers.append(QSslCipher(QStringLiteral("RC4-MD5"))); // Configure for ssl QSslConfiguration sslConfig; sslConfig.setCiphers(socketCiphers); sslConfig.setProtocol(QSsl::TlsV1_0); socket->setSslConfiguration(sslConfig); socket->setLocalCertificate(KdeConnectConfig::instance()->certificate()); socket->setPrivateKey(KdeConnectConfig::instance()->privateKeyPath()); socket->setPeerVerifyName(deviceId); if (isDeviceTrusted) { QString certString = KdeConnectConfig::instance()->getDeviceProperty(deviceId, QStringLiteral("certificate"), QString()); socket->addCaCertificate(QSslCertificate(certString.toLatin1())); socket->setPeerVerifyMode(QSslSocket::VerifyPeer); } else { socket->setPeerVerifyMode(QSslSocket::QueryPeer); } //Usually SSL errors are only bad for trusted devices. Uncomment this section to log errors in any case, for debugging. //QObject::connect(socket, static_cast<void (QSslSocket::*)(const QList<QSslError>&)>(&QSslSocket::sslErrors), [](const QList<QSslError>& errors) //{ // Q_FOREACH (const QSslError &error, errors) { // qCDebug(KDECONNECT_CORE) << "SSL Error:" << error.errorString(); // } //}); }
void ProtocolController::prepareConnection(QSslSocket *socket) { // Ciphers allowed QList<QSslCipher> ciphers; ciphers << QSslCipher("ECDHE-RSA-AES256-GCM-SHA384"); // Update config QSslConfiguration config = socket->sslConfiguration(); config.setProtocol(QSsl::TlsV1_2); // Set allowed ciphers config.setCiphers(ciphers); socket->setSslConfiguration(config); QFile caFile("certificates/cert.pem"); caFile.open(QIODevice::ReadOnly); QByteArray data = caFile.readAll(); caFile.close(); QSslCertificate certifacte(data); socket->addCaCertificate(certifacte); }
void OcNetwork::sslErrorHandler(QNetworkReply* rep,const QList<QSslError> &errors) { QVariantMap account = config.getAccount(); bool ignoreSSLerrors = false; if (account["state"].toInt() == 0) { ignoreSSLerrors = account["ignoresslerror"].toBool(); } if (ignoreSSLerrors) { rep->ignoreSslErrors(); QLOG_WARN() << "Network: ignore SSL errors"; } else { foreach (const QSslError &error, errors) { QLOG_ERROR() << "Network SSL error: " << error.errorString(); } // get certificate checksum QString checksum = QString::fromLatin1(rep->sslConfiguration().peerCertificateChain().last().digest(QCryptographicHash::Md5).toHex().toLower()); // set string for temporary file path QString filePath(QDir::homePath()); filePath.append(BASE_PATH).append(QDir::separator()).append(checksum).append(".der"); // store server certificate temporary QFile x509Temp(filePath); x509Temp.open(QIODevice::WriteOnly); x509Temp.write(rep->sslConfiguration().peerCertificateChain().last().toDer()); x509Temp.close(); #if defined(MEEGO_EDITION_HARMATTAN) // set credential int credSuc = aegis_certman_set_credentials("buschtrommel-ocnews::CertOCNewsSSL"); if (credSuc != 0) qDebug() << "set credential error: " << credSuc; // open file for X509 struct FILE * crtFile; crtFile = fopen(filePath.toAscii().data(), "r"); if (crtFile == NULL) qDebug() << "Can not open cert file."; X509 * crt; crt = d2i_X509_fp(crtFile, NULL); if (crt == NULL) qDebug() << "Error importing X509 Certificate"; // get server key id aegis_key_id crtKeyId; aegis_certman_get_key_id(crt, crtKeyId); // open ssl domain domain_handle ownDomain; int openCheck = aegis_certman_open_domain("ssl-ocnews", AEGIS_CERTMAN_DOMAIN_PRIVATE, &ownDomain); if (openCheck != 0) QLOG_ERROR() << "Network: Error Opening SSL Domain: " << openCheck; int guiCheck = aegis_certman_gui_check_certificate(crt, 120); QLOG_INFO() << "Network Certificate check: " << guiCheck; if (guiCheck == 0) { // check if cert is already in domain X509 * storedCert; int loadStoredCert = aegis_certman_load_cert(ownDomain, crtKeyId, &storedCert); if (loadStoredCert == 0 && storedCert != NULL) { QLOG_INFO() << "Network Load Cert: " << loadStoredCert; // convert internal X509 structure to DER int len; unsigned char *buf; buf = NULL; len = i2d_X509(storedCert, &buf); if (len > 0) { // create Qt Certificate from buffer QByteArray buffer(reinterpret_cast<const char*>(buf), len); QSslCertificate sslCert(buffer, QSsl::Der); // create list and append cert QList<QSslCertificate> sslCerts; sslCerts.append(sslCert); // put ssl into ssl error for ignored errors QSslError sslError(QSslError::SelfSignedCertificate, sslCerts.at(0)); QList<QSslError> expectedSslErrors; expectedSslErrors.append(sslError); // add certificate to socket and current configuration QSslSocket::addDefaultCaCertificates(sslCerts); QList<QSslCipher> ciphers = rep->sslConfiguration().ciphers(); QSslConfiguration sslConfig; sslConfig.setCiphers(ciphers); sslConfig.setCaCertificates(sslCerts); rep->setSslConfiguration(sslConfig); // ignore only this ssl error rep->ignoreSslErrors(expectedSslErrors); } else { QLOG_ERROR() << "Network: Can not decode cert to DER."; } } else { int addCheck = aegis_certman_add_cert(ownDomain, crt); QLOG_INFO() << "Network Add Cert: " << addCheck; // convert internal X509 structure to DER int len; unsigned char *buf; buf = NULL; len = i2d_X509(crt, &buf); if (len > 0) { // create Qt Certificate from buffer QByteArray buffer(reinterpret_cast<const char*>(buf), len); QSslCertificate sslCert(buffer, QSsl::Der); // create list and append cert QList<QSslCertificate> sslCerts; sslCerts.append(sslCert); // put ssl into ssl error for ignored errors QSslError sslError(QSslError::SelfSignedCertificate, sslCerts.at(0)); QList<QSslError> expectedSslErrors; expectedSslErrors.append(sslError); // add certificate to socket and current configuration QSslSocket::addDefaultCaCertificates(sslCerts); QList<QSslCipher> ciphers = rep->sslConfiguration().ciphers(); QSslConfiguration sslConfig; sslConfig.setCiphers(ciphers); sslConfig.setCaCertificates(sslCerts); rep->setSslConfiguration(sslConfig); // ignore only these ssl error rep->ignoreSslErrors(expectedSslErrors); } else { QLOG_ERROR() << "Network: Can not decode cert to DER."; } } } else { // remove cert if not approved int removeCheck = aegis_certman_rm_cert(ownDomain, crtKeyId); QLOG_INFO() << "Network Remove Cert: " << removeCheck; } aegis_certman_close_domain(ownDomain); x509Temp.remove(); // remove temporary cert file #else // rep->ignoreSslErrors(); rep->abort(); QLOG_WARN() << "Abort network operation..."; #endif } }
void Server::update() { if (qsRegName.isEmpty() || qsRegPassword.isEmpty() || !qurlRegWeb.isValid() || !qsPassword.isEmpty() || !bAllowPing) return; // When QNAM distinguishes connections by client cert, move this to Meta if (! qnamNetwork) qnamNetwork = new QNetworkAccessManager(this); qtTick.start(1000 * (60 * 60 + (qrand() % 300))); QDomDocument doc; QDomElement root=doc.createElement(QLatin1String("server")); doc.appendChild(root); OSInfo::fillXml(doc, root, meta->qsOS, meta->qsOSVersion, qlBind); QDomElement tag; QDomText t; tag=doc.createElement(QLatin1String("name")); root.appendChild(tag); t=doc.createTextNode(qsRegName); tag.appendChild(t); tag=doc.createElement(QLatin1String("host")); root.appendChild(tag); t=doc.createTextNode(qsRegHost); tag.appendChild(t); tag=doc.createElement(QLatin1String("password")); root.appendChild(tag); t=doc.createTextNode(qsRegPassword); tag.appendChild(t); tag=doc.createElement(QLatin1String("port")); root.appendChild(tag); t=doc.createTextNode(QString::number(usPort)); tag.appendChild(t); tag=doc.createElement(QLatin1String("url")); root.appendChild(tag); t=doc.createTextNode(qurlRegWeb.toString()); tag.appendChild(t); tag=doc.createElement(QLatin1String("digest")); root.appendChild(tag); t=doc.createTextNode(getDigest()); tag.appendChild(t); tag=doc.createElement(QLatin1String("users")); root.appendChild(tag); t=doc.createTextNode(QString::number(qhUsers.count())); tag.appendChild(t); tag=doc.createElement(QLatin1String("channels")); root.appendChild(tag); t=doc.createTextNode(QString::number(qhChannels.count())); tag.appendChild(t); if (!qsRegLocation.isEmpty()) { tag=doc.createElement(QLatin1String("location")); root.appendChild(tag); t=doc.createTextNode(qsRegLocation); tag.appendChild(t); } QNetworkRequest qnr(QUrl(QLatin1String("https://mumble.info/register.cgi"))); qnr.setHeader(QNetworkRequest::ContentTypeHeader, QLatin1String("text/xml")); QSslConfiguration ssl = qnr.sslConfiguration(); ssl.setLocalCertificate(qscCert); ssl.setPrivateKey(qskKey); /* Work around bug in QSslConfiguration */ QList<QSslCertificate> calist = ssl.caCertificates(); calist << QSslSocket::defaultCaCertificates(); calist << Meta::mp.qlCA; calist << Meta::mp.qlIntermediates; calist << qscCert; ssl.setCaCertificates(calist); ssl.setCiphers(Meta::mp.qlCiphers); qnr.setSslConfiguration(ssl); QNetworkReply *rep = qnamNetwork->post(qnr, doc.toString().toUtf8()); connect(rep, SIGNAL(finished()), this, SLOT(finished())); connect(rep, SIGNAL(sslErrors(const QList<QSslError> &)), this, SLOT(regSslError(const QList<QSslError> &))); }
void WebsocketServer::initialisieren(const QString &name, const QString &ipAdresse, const int &anschluss, const QStringList &sslAlgorithmen, const QStringList &ssl_EK, const QString &ssl_DH, const QString &zertifikatSchluessel, const QString &zertifikat, const QString &zertifkatKette, const bool &ssl_aktiv) { QWebSocketServer::SslMode SSL_Modus; if (ssl_aktiv) { SSL_Modus=QWebSocketServer::SecureMode; K_IPAdresse=QHostAddress(ipAdresse); } else { SSL_Modus=QWebSocketServer::NonSecureMode; K_IPAdresse=QHostAddress(QHostAddress::LocalHost); } K_Server=new QWebSocketServer(name,SSL_Modus,this); connect(K_Server,&QWebSocketServer::sslErrors,this, &WebsocketServer::SSL_Fehler); connect(K_Server,&QWebSocketServer::serverError,this,&WebsocketServer::SSL_Serverfehler); connect(K_Server,&QWebSocketServer::newConnection,this,&WebsocketServer::NeuerKlient); connect(K_Server,&QWebSocketServer::acceptError,this,&WebsocketServer::Verbindungsfehler); K_Anschluss=anschluss; QSslConfiguration SSL; QList<QSslCipher> Algorithmen; QVector<QSslEllipticCurve> EK; SSL.setProtocol(QSsl::TlsV1_2OrLater); SSL.setPeerVerifyMode(QSslSocket::VerifyNone); QSslCipher Algorithmus; QSslEllipticCurve Kurve; if (ssl_aktiv) { //BUG Das mit der Reihenfolge geht nicht for (auto Eintrag : sslAlgorithmen) { Algorithmus=QSslCipher(Eintrag); if (Algorithmus.isNull()) qCWarning(qalarm_serverWebsocketServer)<< tr("Algorithmus %1 wird nicht unterstützt.").arg(Eintrag); else Algorithmen.append(Algorithmus); } SSL.setCiphers(Algorithmen); //BUG Es werden nie Kurven angeboten for (auto Eintrag : ssl_EK) { Kurve=QSslEllipticCurve::fromShortName(Eintrag); if (!Kurve.isValid()) qCWarning(qalarm_serverWebsocketServer)<< tr("Kurve %1 wird nicht unterstützt.").arg(Eintrag); else EK.append(Kurve); } SSL.setEllipticCurves(EK); if(!ssl_DH.isEmpty()) { #if (QT_VERSION >= QT_VERSION_CHECK(5,8,0)) SSL.setDiffieHellmanParameters(QSslDiffieHellmanParameters::fromEncoded(DateiLaden(ssl_DH,tr("Die DH Parameter %1 konnten nicht geladen werden.")))); #else qCWarning(qalarm_serverWebsocketServer)<<tr("Qt kann die DH Parameter erst ab Version 5.8.0 setzen"); #endif } QList<QSslCertificate> Zertifikate; Zertifikate=QSslCertificate::fromDevice(DateiLaden(zertifikat,tr("Zertifikat %1 konnte nicht geladen werden.").arg(zertifikat))); Zertifikate.append(QSslCertificate::fromDevice(DateiLaden(zertifkatKette,tr("Die Zertifikatskette %1 konnte nicht geladen werden.").arg(zertifkatKette)))); SSL.setLocalCertificateChain(Zertifikate); SSL.setPrivateKey(QSslKey(DateiLaden(zertifikatSchluessel,tr("Der Schlüssel %1 für das Zertifikat konnte nicht geladen werden.").arg(zertifikatSchluessel)),QSsl::Rsa)); if(SSL.privateKey().isNull() || SSL.localCertificate().isNull() || SSL.localCertificateChain().isEmpty()) return; qCDebug(qalarm_serverWebsocketServer)<<tr("Setze SSL Konfiguration"); qCDebug(qalarm_serverWebsocketServer)<<tr("Privater Schlüssel: ")<<SSL.privateKey(); qCDebug(qalarm_serverWebsocketServer)<<tr("Zertifikate: ")<<SSL.localCertificateChain(); #if (QT_VERSION >= QT_VERSION_CHECK(5,8,0)) qCDebug(qalarm_serverWebsocketServer)<<tr("DH Parameter: ")<<SSL.diffieHellmanParameters(); #endif qCDebug(qalarm_serverWebsocketServer)<<tr("Zerttest: ")<<SSL.peerVerifyMode(); qCDebug(qalarm_serverWebsocketServer)<<tr("Elliptische Kurven: ")<<SSL.ellipticCurves(); qCDebug(qalarm_serverWebsocketServer)<<tr("Algorithmen: ")<<SSL.ciphers(); K_Server->setSslConfiguration(SSL); } if(!K_Initfehler) Q_EMIT Initialisiert(); }