Improving Qt's SSL Support

From Qt Wiki
Revision as of 09:57, 24 February 2015 by Maintenance script (talk | contribs)
Jump to navigation Jump to search


[toc align_right="yes" depth="3"]

Improving Qt's SSL Support

Qt has pretty good support for SSL that is sufficient for a lot of common uses, but the SSL support is missing a number of features that exist in applications such as Firefox, Internet Explorer or Opera. In addition, whilst Qt uses OpenSSL for the underlying implementation of SSL, it only provides an API for using a small subset of the available facilities.

I've been doing some work to enhance the SSL support in Qt, and have been asked to put together this page which is a cross between a TODO list, a set of links to existing solutions, and a pie-in-the-sky wishlist.

Areas for Improvement

There are a number of missing facilities in Qt's SSL support right now; here's a rough list cross-referenced with the QT-BUG tracking number:

It should be noted that most of these issues only affect a tiny minority of possible uses. That said, wouldn't it be nice if we had support for them in Qt with a nice API?

Areas for performance improvement

Work Underway

This would be a depressing page if it wasn't for the fact that these issues are being addressed. So, let's look at the areas where progress is already being made:

(OCSP) Online Certificate Status Protocol Support

I've implemented the basic facilities required for OCSP support in Qt, specifically accessors for the AIA field of the certificate, and classes to generate and validate OCSP requests/responses. Still remaining is the integration of this code into the QNetworkAccessManager and QSslSocket classes, and a cache of the results. As of Nov 2011 after a hiatus while I worked on some other areas, I have got this building against Qt 5.

The code is currently in my personal clone at https://qt.gitorious.org/~rich/qt/richs-qtbase/commits/ocsp-support

Notification when the Certificate for a Site Changes

I wrote a proof of concept for this that showed up some API limitations that prevent a production quality implementation. This looks like something that can be addressed in a future release without major issues. I've written up the details of the implementation and the its limitations at http://www.kdedevelopers.org/node/4434

Support for TLS extensions and supplemental data

Work is being tracked in the issue tracker and a Wiki is being used to work through implementation and API design issues: Improving_TLS_handshake_support

Solved Issues

This section is for areas that have been put to bed:

OpenSSL on OS X

OS X has the oldest versions of OpenSSL in use on any platform, so it's setting the lower limit on what we can rely on:

OS X version OpenSSL version OpenSSL build date
10.9.2 0.9.8y 5 Feb 2013
10.8.4 0.9.8x 10 May 2012
10.8.3 0.9.8r 8 Feb 2011
10.8.2 0.9.8r 8 Feb 2011
10.7.4 0.9.8r 8 Feb 2011
10.6.8 v1.1 0.9.8x 10 May 2012
10.6.0 0.9.8k 25 Mar 2009
10.5.8 0.9.7l 28 Sep 2006

To Do Lists

Rich Moore:

  • Certificate change notifier
  • EV certificates
  • OCSP

Peter: