Qt-contributors-summit-2013-19025: Difference between revisions

From Qt Wiki
Jump to navigation Jump to search
(Add "cleanup" tag)
m (Categorize)
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
{{Cleanup | reason=Auto-imported from ExpressionEngine.}}
{{Cleanup | reason=Auto-imported from ExpressionEngine.}}
 
[[Category:QtCS2013]]
[[Category:Developing Qt::Network]]
<span class="lighttext">Revision from: 14:54, 15 Jul 2013</span><br /><br />
<span class="lighttext">Revision from: 14:54, 15 Jul 2013</span><br /><br />


Line 9: Line 10:
* Option to add random padding to https requests. This makes us more resistant to the various https attacks that have been floating around. * X-Qt-Padding: some noise of varying length *Recommendation 3 from http://www.isg.rhul.ac.uk/tls/RC4biases.pdf
* Option to add random padding to https requests. This makes us more resistant to the various https attacks that have been floating around. * X-Qt-Padding: some noise of varying length *Recommendation 3 from http://www.isg.rhul.ac.uk/tls/RC4biases.pdf
* Who is working on the stack?
* Who is working on the stack?
* What’s up with the constant failing tests in the CI, and how can we fix the situation?
* What's up with the constant failing tests in the CI, and how can we fix the situation?
* Support for diffie-hellman ciphers
* Support for diffie-hellman ciphers
* Support for redirects
* Support for redirects
* Pause on connect
* Pause on connect
* Performance
* Performance
* Peter’s chromium qnam port
* Peter's chromium qnam port
* Automatic fallback support
* Automatic fallback support
* Certificate store <span class="caps">API</span> / Caching intermediates
* Certificate store <span class="caps">API</span> / Caching intermediates
Line 31: Line 32:
Notes by Thiago:
Notes by Thiago:


* Difficult to test because of the test server * Tests should use localhost (in-test server) whenever possible * We can’t reproduce the CI server (Peter doesn’t get to 0 images) * Short-term: get the VM image from the test server → talk to Tony * Long-term: get puppet working → talk to Tony * Suggestions to improve: * Split out the localhost-only tests to verify that local servers working * Test with localhost where possible (using QTcpServer) * Reduce the number of daemons required in the test server (e.g., <span class="caps">IMAP</span> server)
* Difficult to test because of the test server * Tests should use localhost (in-test server) whenever possible * We can't reproduce the CI server (Peter doesn't get to 0 images) * Short-term: get the VM image from the test server → talk to Tony * Long-term: get puppet working → talk to Tony * Suggestions to improve: * Split out the localhost-only tests to verify that local servers working * Test with localhost where possible (using QTcpServer) * Reduce the number of daemons required in the test server (e.g., <span class="caps">IMAP</span> server)
* DH key exchange * no public <span class="caps">API</span> * easy to implement, hard to test
* DH key exchange * no public <span class="caps">API</span> * easy to implement, hard to test
* <span class="caps">OCSP</span> * adds latency: needs to query the <span class="caps">OCSP</span> server * Richard implemented one year ago * still works, but hasn’t worked on it in a while * enabled by default * QSslSocket level
* <span class="caps">OCSP</span> * adds latency: needs to query the <span class="caps">OCSP</span> server * Richard implemented one year ago * still works, but hasn't worked on it in a while * enabled by default * QSslSocket level
* Certificate store: * storing intermediate certs from broken servers that don’t return the whole chain * browsers do that to work around issues in the wild * adds security * certificates are not trusted, so they don’t add a new security attack vector * virtual QSslCertificate QAbstractSslCertificateStore::certificateForId(QSslCertificateId)
* Certificate store: * storing intermediate certs from broken servers that don't return the whole chain * browsers do that to work around issues in the wild * adds security * certificates are not trusted, so they don't add a new security attack vector * virtual QSslCertificate QAbstractSslCertificateStore::certificateForId(QSslCertificateId)
* <span class="caps">QNAM</span> redirects * discussed in the DD Contributor Day * vector for insecurity (users do it wrong) * should be configurable * we don’t need to fix this for the browser case → they already have the code * we need it only for the simple application cases * allow redirect from <span class="caps">HTTP</span> to <span class="caps">HTTPS</span>, allow within-protocol * could work with pausing * readyRead &amp; metaDataChanged from the final, sslErrors per connection
* <span class="caps">QNAM</span> redirects * discussed in the DD Contributor Day * vector for insecurity (users do it wrong) * should be configurable * we don't need to fix this for the browser case → they already have the code * we need it only for the simple application cases * allow redirect from <span class="caps">HTTP</span> to <span class="caps">HTTPS</span>, allow within-protocol * could work with pausing * readyRead & metaDataChanged from the final, sslErrors per connection
* Pause on connect: * Already discussed, implementation challenges and details known * Work is missing (Peter doesn’t have time)
* Pause on connect: * Already discussed, implementation challenges and details known * Work is missing (Peter doesn't have time)
* Performance: latency problems * Helped by the pre-connect
* Performance: latency problems * Helped by the pre-connect
* Replacing <span class="caps">QNAM</span> port: * With Blink: * difficult, it’s too big for QtNetwork * no guarantee that we’ll get a “library” interface * libcurl: * they’re behind us
* Replacing <span class="caps">QNAM</span> port: * With Blink: * difficult, it's too big for QtNetwork * no guarantee that we'll get a "library" interface * libcurl: * they're behind us
* <span class="caps">SPDY</span> / <span class="caps">HTTP</span>/2.0: * <span class="caps">HTTP</span>/2.0 adopted <span class="caps">SPDY</span> 3.0’s transport format * we can start supporting <span class="caps">SPDY</span> to get on our way to <span class="caps">HTTP</span>/2.0 * libcurl has started
* <span class="caps">SPDY</span> / <span class="caps">HTTP</span>/2.0: * <span class="caps">HTTP</span>/2.0 adopted <span class="caps">SPDY</span> 3.0's transport format * we can start supporting <span class="caps">SPDY</span> to get on our way to <span class="caps">HTTP</span>/2.0 * libcurl has started

Latest revision as of 17:15, 6 January 2017

This article may require cleanup to meet the Qt Wiki's quality standards. Reason: Auto-imported from ExpressionEngine.
Please improve this article if you can. Remove the {{cleanup}} tag and add this page to Updated pages list after it's clean.

Revision from: 14:54, 15 Jul 2013

Qt Network Session – Qt Contributors Summit 2013

Talking Points

  • Option to add random padding to https requests. This makes us more resistant to the various https attacks that have been floating around. * X-Qt-Padding: some noise of varying length *Recommendation 3 from http://www.isg.rhul.ac.uk/tls/RC4biases.pdf
  • Who is working on the stack?
  • What's up with the constant failing tests in the CI, and how can we fix the situation?
  • Support for diffie-hellman ciphers
  • Support for redirects
  • Pause on connect
  • Performance
  • Peter's chromium qnam port
  • Automatic fallback support
  • Certificate store API / Caching intermediates
  • OCSP support
  • Replacing the QNAM disk cache
  • HTTP 2.0 / SPDY support
  • Web sockets
  • Enginio and Qt network
  • Webkit2 and custom QNetworkAccessManagers

Off topic, but related:

  • PBKDF2 / BCrypt support (QtCore really)
  • Should we warn if running as root? If running suid?

Notes by Thiago:

  • Difficult to test because of the test server * Tests should use localhost (in-test server) whenever possible * We can't reproduce the CI server (Peter doesn't get to 0 images) * Short-term: get the VM image from the test server → talk to Tony * Long-term: get puppet working → talk to Tony * Suggestions to improve: * Split out the localhost-only tests to verify that local servers working * Test with localhost where possible (using QTcpServer) * Reduce the number of daemons required in the test server (e.g., IMAP server)
  • DH key exchange * no public API * easy to implement, hard to test
  • OCSP * adds latency: needs to query the OCSP server * Richard implemented one year ago * still works, but hasn't worked on it in a while * enabled by default * QSslSocket level
  • Certificate store: * storing intermediate certs from broken servers that don't return the whole chain * browsers do that to work around issues in the wild * adds security * certificates are not trusted, so they don't add a new security attack vector * virtual QSslCertificate QAbstractSslCertificateStore::certificateForId(QSslCertificateId)
  • QNAM redirects * discussed in the DD Contributor Day * vector for insecurity (users do it wrong) * should be configurable * we don't need to fix this for the browser case → they already have the code * we need it only for the simple application cases * allow redirect from HTTP to HTTPS, allow within-protocol * could work with pausing * readyRead & metaDataChanged from the final, sslErrors per connection
  • Pause on connect: * Already discussed, implementation challenges and details known * Work is missing (Peter doesn't have time)
  • Performance: latency problems * Helped by the pre-connect
  • Replacing QNAM port: * With Blink: * difficult, it's too big for QtNetwork * no guarantee that we'll get a "library" interface * libcurl: * they're behind us
  • SPDY / HTTP/2.0: * HTTP/2.0 adopted SPDY 3.0's transport format * we can start supporting SPDY to get on our way to HTTP/2.0 * libcurl has started