CopperSpice API  1.7.2
QSslConfiguration Class Reference

The QSslConfiguration class holds the configuration and state of an SSL connection. More...

Public Types

enum  NextProtocolNegotiationStatus
 

Public Methods

 QSslConfiguration ()
 
 QSslConfiguration (const QSslConfiguration &other)
 
 ~QSslConfiguration ()
 
QList< QByteArrayallowedNextProtocols () const
 
QList< QSslCertificatecaCertificates () const
 
QList< QSslCipherciphers () const
 
QVector< QSslEllipticCurveellipticCurves () const
 
bool isNull () const
 
QSslCertificate localCertificate () const
 
QList< QSslCertificatelocalCertificateChain () const
 
QByteArray nextNegotiatedProtocol () const
 
NextProtocolNegotiationStatus nextProtocolNegotiationStatus () const
 
bool operator!= (const QSslConfiguration &other) const
 
QSslConfiguration & operator= (const QSslConfiguration &other)
 
QSslConfiguration & operator= (QSslConfiguration &&other)
 
bool operator== (const QSslConfiguration &other) const
 
QSslCertificate peerCertificate () const
 
QList< QSslCertificatepeerCertificateChain () const
 
int peerVerifyDepth () const
 
QSslSocket::PeerVerifyMode peerVerifyMode () const
 
QSslKey privateKey () const
 
QSsl::SslProtocol protocol () const
 
QSslCipher sessionCipher () const
 
QSsl::SslProtocol sessionProtocol () const
 
QByteArray sessionTicket () const
 
int sessionTicketLifeTimeHint () const
 
void setAllowedNextProtocols (const QList< QByteArray > &protocols)
 
void setCaCertificates (const QList< QSslCertificate > &certificates)
 
void setCiphers (const QList< QSslCipher > &ciphers)
 
void setEllipticCurves (const QVector< QSslEllipticCurve > &curves)
 
void setLocalCertificate (const QSslCertificate &certificate)
 
void setLocalCertificateChain (const QList< QSslCertificate > &localChain)
 
void setPeerVerifyDepth (int depth)
 
void setPeerVerifyMode (QSslSocket::PeerVerifyMode mode)
 
void setPrivateKey (const QSslKey &key)
 
void setProtocol (QSsl::SslProtocol protocol)
 
void setSessionTicket (const QByteArray &sessionTicket)
 
void setSslOption (QSsl::SslOption option, bool on)
 
void swap (QSslConfiguration &other)
 
bool testSslOption (QSsl::SslOption option) const
 

Static Public Methods

static QSslConfiguration defaultConfiguration ()
 
static void setDefaultConfiguration (const QSslConfiguration &configuration)
 
static QList< QSslCiphersupportedCiphers ()
 
static QVector< QSslEllipticCurvesupportedEllipticCurves ()
 
static QList< QSslCertificatesystemCaCertificates ()
 

Static Public Members

static const char NextProtocolHttp1_1 []
 
static const char NextProtocolSpdy3_0 []
 

Friends

class QSslSocket
 

Detailed Description

The QSslConfiguration class holds the configuration and state of an SSL connection

QSslConfiguration is used by networking classes to relay information about an open SSL connection and to allow the application to control certain features of that connection.

The settings QSslConfiguration currently supports are:

  • The SSL/TLS protocol to be used
  • The certificate to be presented to the peer during connection and its associated private key
  • The ciphers allowed to be used for encrypting the connection
  • The list of Certificate Authorities certificates that are used to validate the peer's certificate

These settings are applied only during the connection handshake. Setting them after the connection has been established has no effect.

The state that QSslConfiguration supports are:

  • The certificate the peer presented during handshake, along with the chain leading to a CA certificate
  • The cipher used to encrypt this session

The state can only be obtained once the SSL connection starts, but not necessarily before it's done. Some settings may change during the course of the SSL connection without need to restart it (for instance, the cipher can be changed over time).

State in QSslConfiguration objects can not be changed.

QSslConfiguration can be used with QSslSocket and the Network Access API.

Note that changing settings in QSslConfiguration is not enough to change the settings in the related SSL connection. You must call setSslConfiguration on a modified QSslConfiguration object to achieve that. The following example illustrates how to change the protocol to TLSv1 in a QSslSocket object:

QSslConfiguration config = sslSocket.sslConfiguration();
config.setProtocol(QSsl::TlsV1);
sslSocket.setSslConfiguration(config);

QSslSocket, QNetworkAccessManager, QSslSocket::sslConfiguration(), QSslSocket::setSslConfiguration()

See also
QSsl::SslProtocol, QSslCertificate, QSslCipher, QSslKey

Member Enumeration Documentation

Describes the status of the Next Protocol Negotiation (NPN).

ConstantValueDescription
QSslConfiguration::NextProtocolNegotiationNone0 No application protocol has been negotiated yet.
QSslConfiguration::NextProtocolNegotiationNegotiated1 A next protocol has been negotiated, refer to nextNegotiatedProtocol().
QSslConfiguration::NextProtocolNegotiationUnsupportede2 The client and server could not agree on a common next application protocol.

Constructor & Destructor Documentation

QSslConfiguration::QSslConfiguration ( )

Constructs an empty SSL configuration. This configuration contains no valid settings and the state will be empty. isNull() will return true after this constructor is called.

Once any setter methods are called isNull() will return false.

QSslConfiguration::QSslConfiguration ( const QSslConfiguration &  other)

Copies the configuration and state of other. If other is null, this object will be null too.

QSslConfiguration::~QSslConfiguration ( )

Releases any resources held by QSslConfiguration.

Method Documentation

QList< QByteArray > QSslConfiguration::allowedNextProtocols ( ) const

This function returns the allowed protocols to be negotiated with the server through the Next Protocol Negotiation (NPN) TLS extension, as set by setAllowedNextProtocols().

See also
nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), setAllowedNextProtocols(), QSslConfiguration::NextProtocolSpdy3_0, QSslConfiguration::NextProtocolHttp1_1
QList< QSslCertificate > QSslConfiguration::caCertificates ( ) const

Returns this connection's CA certificate database. The CA certificate database is used by the socket during the handshake phase to validate the peer's certificate. It can be modified prior to the handshake with setCaCertificates() or with QSslSocket::addCaCertificate() or QSslSocket::addCaCertificates().

This method can be used on the default QSslConfiguration to get the default caCertificates.

See also
setCaCertificates()
QList< QSslCipher > QSslConfiguration::ciphers ( ) const

Returns this connection's current cryptographic cipher suite. This list is used during the handshake phase for choosing a session cipher. The returned list of ciphers is ordered by descending preference. (i.e., the first cipher in the list is the most preferred cipher). The session cipher will be the first one in the list that is also supported by the peer.

By default the handshake phase can choose any of the ciphers supported by this system's SSL libraries, which may vary from system to system. The list of ciphers supported by this system's SSL libraries is returned by supportedCiphers(). You can restrict the list of ciphers used for choosing the session cipher for this socket by calling setCiphers() with a subset of the supported ciphers. You can revert to using the entire set by calling setCiphers() with the list returned by supportedCiphers().

This method can be used on the default QSslConfiguration to get the default ciphers.

See also
setCiphers(), supportedCiphers()
QSslConfiguration QSslConfiguration::defaultConfiguration ( )
static

Returns the default SSL configuration to be used in new SSL connections.

The default SSL configuration consists of:

  • no local certificate and no private key
  • protocol SecureProtocols (meaning either TLS 1.0 or SSL 3 will be used)
  • the system's default CA certificate list
  • the cipher list equal to the list of the SSL libraries' supported SSL ciphers
See also
supportedCiphers(), setDefaultConfiguration()
QVector< QSslEllipticCurve > QSslConfiguration::ellipticCurves ( ) const

Returns this connection's current list of elliptic curves. This list is used during the handshake phase for choosing an elliptic curve (when using an elliptic curve cipher). The returned list of curves is ordered by descending preference (i.e., the first curve in the list is the most preferred one).

By default, the handshake phase can choose any of the curves supported by this system's SSL libraries, which may vary from system to system. The list of curves supported by this system's SSL libraries is returned by QSslSocket::supportedEllipticCurves().

You can restrict the list of curves used for choosing the session cipher for this socket by calling setEllipticCurves() with a subset of the supported ciphers. You can revert to using the entire set by calling setEllipticCurves() with the list returned by QSslSocket::supportedEllipticCurves().

See also
setEllipticCurves
bool QSslConfiguration::isNull ( ) const

Returns true if this is a null QSslConfiguration object.

A QSslConfiguration object is null if it has been default-constructed and no setter methods have been called.

See also
setProtocol(), setLocalCertificate(), setPrivateKey(), setCiphers(), setCaCertificates()
QSslCertificate QSslConfiguration::localCertificate ( ) const

Returns the certificate to be presented to the peer during the SSL handshake process.

See also
setLocalCertificate()
QList< QSslCertificate > QSslConfiguration::localCertificateChain ( ) const

Returns the certificate chain to be presented to the peer during the SSL handshake process.

See also
localCertificate()
QByteArray QSslConfiguration::nextNegotiatedProtocol ( ) const

This function returns the protocol negotiated with the server if the Next Protocol Negotiation (NPN) TLS extension was enabled. In order for the NPN extension to be enabled, setAllowedNextProtocols() needs to be called explicitly before connecting to the server.

If no protocol could be negotiated or the extension was not enabled, this function returns a QByteArray which is null.

See also
setAllowedNextProtocols(), nextProtocolNegotiationStatus()
QSslConfiguration::NextProtocolNegotiationStatus QSslConfiguration::nextProtocolNegotiationStatus ( ) const

This function returns the status of the Next Protocol Negotiation (NPN). If the feature has not been enabled through setAllowedNextProtocols(), this function returns NextProtocolNegotiationNone. The status will be set before emitting the encrypted() signal.

See also
setAllowedNextProtocols(), allowedNextProtocols(), nextNegotiatedProtocol(), QSslConfiguration::NextProtocolNegotiationStatus
bool QSslConfiguration::operator!= ( const QSslConfiguration &  other) const
inline

Returns true if this QSslConfiguration differs from other. Two QSslConfiguration objects are considered different if any state or setting is different.

See also
operator==()
QSslConfiguration & QSslConfiguration::operator= ( const QSslConfiguration &  other)

Copy assigns from other and returns a reference to this object.

QSslConfiguration & QSslConfiguration::operator= ( QSslConfiguration &&  other)
inline

Move assigns from other and returns a reference to this object.

bool QSslConfiguration::operator== ( const QSslConfiguration &  other) const

Returns true if this QSslConfiguration object is equal to other.

Two QSslConfiguration objects are considered equal if they have the exact same settings and state.

See also
operator!=()
QSslCertificate QSslConfiguration::peerCertificate ( ) const

Returns the peer's digital certificate (i.e., the immediate certificate of the host you are connected to), or a null certificate, if the peer has not assigned a certificate.

The peer certificate is checked automatically during the handshake phase, so this function is normally used to fetch the certificate for display or for connection diagnostic purposes. It contains information about the peer, including its host name, the certificate issuer, and the peer's public key.

Because the peer certificate is set during the handshake phase, it is safe to access the peer certificate from a slot connected to the QSslSocket::sslErrors() signal, QNetworkReply::sslErrors() signal, or the QSslSocket::encrypted() signal.

If a null certificate is returned, it can mean the SSL handshake failed, or it can mean the host you are connected to does not have a certificate, or it can mean there is no connection.

If you want to check the peer's complete chain of certificates, use peerCertificateChain() to get them all at once.

See also
peerCertificateChain(), QSslSocket::sslErrors(), QSslSocket::ignoreSslErrors(), QNetworkReply::sslErrors(), QNetworkReply::ignoreSslErrors()
QList< QSslCertificate > QSslConfiguration::peerCertificateChain ( ) const

Returns the peer's chain of digital certificates, starting with the peer's immediate certificate and ending with the CA's certificate.

Peer certificates are checked automatically during the handshake phase. This function is normally used to fetch certificates for display, or for performing connection diagnostics. Certificates contain information about the peer and the certificate issuers, including host name, issuer names, and issuer public keys.

Because the peer certificate is set during the handshake phase, it is safe to access the peer certificate from a slot connected to the QSslSocket::sslErrors() signal, QNetworkReply::sslErrors() signal, or the QSslSocket::encrypted() signal.

If an empty list is returned, it can mean the SSL handshake failed, or it can mean the host you are connected to does not have a certificate, or it can mean there is no connection.

If you want to get only the peer's immediate certificate, use peerCertificate().

See also
peerCertificate(), QSslSocket::sslErrors(), QSslSocket::ignoreSslErrors(), QNetworkReply::sslErrors(), QNetworkReply::ignoreSslErrors()
int QSslConfiguration::peerVerifyDepth ( ) const

Returns the maximum number of certificates in the peer's certificate chain to be checked during the SSL handshake phase, or 0 (the default) if no maximum depth has been set, indicating that the whole certificate chain should be checked.

The certificates are checked in issuing order, starting with the peer's own certificate, then its issuer's certificate, and so on.

See also
setPeerVerifyDepth(), peerVerifyMode()
QSslSocket::PeerVerifyMode QSslConfiguration::peerVerifyMode ( ) const

Returns the verify mode. This mode decides whether QSslSocket should request a certificate from the peer (i.e., the client requests a certificate from the server, or a server requesting a certificate from the client), and whether it should require that this certificate is valid.

The default mode is AutoVerifyPeer, which tells QSslSocket to use VerifyPeer for clients, QueryPeer for servers.

See also
setPeerVerifyMode()
QSslKey QSslConfiguration::privateKey ( ) const

Returns the SSL key assigned to this connection or a null key if none has been assigned yet.

See also
setPrivateKey(), localCertificate()
QSsl::SslProtocol QSslConfiguration::protocol ( ) const

Returns the protocol setting for this SSL configuration.

See also
setProtocol()
QSslCipher QSslConfiguration::sessionCipher ( ) const

Returns the socket's cryptographic cipher, or a null cipher if the connection is not encrypted. The socket's cipher for the session is set during the handshake phase. The cipher is used to encrypt and decrypt data transmitted through the socket.

The SSL infrastructure also provides functions for setting the ordered list of ciphers from which the handshake phase will eventually select the session cipher. This ordered list must be in place before the handshake phase begins.

See also
ciphers(), setCiphers(), supportedCiphers()
QSsl::SslProtocol QSslConfiguration::sessionProtocol ( ) const

Returns the socket's SSL/TLS protocol or UnknownProtocol if the connection is not encrypted. The socket's protocol for the session is set during the handshake phase.

See also
protocol(), setProtocol()
QByteArray QSslConfiguration::sessionTicket ( ) const

If QSsl::SslOption::SslOptionDisableSessionPersistence was turned off this method returns the session ticket used in the SSL handshake in ASN.1 format, suitable to e.g. be persisted to disk. If no session ticket was used or QSsl::SslOption::SslOptionDisableSessionPersistence was not turned off this method returns an empty QByteArray.

Note
When persisting the session ticket to disk or similar, be careful not to expose the session to a potential attacker, as knowledge of the session allows for eavesdropping on data encrypted with the session parameters.
See also
setSessionTicket(), QSsl::SslOption, setSslOption()
int QSslConfiguration::sessionTicketLifeTimeHint ( ) const

If QSsl::SslOption::SslOptionDisableSessionPersistence was turned off, this function returns the session ticket life time hint sent by the server (which might be 0). If the server did not send a session ticket (e.g. when resuming a session or when the server does not support it) or QSsl::SslOption::SslOptionDisableSessionPersistence was not turned off, this function returns -1.

See also
sessionTicket(), QSsl::SslOption, setSslOption()
void QSslConfiguration::setAllowedNextProtocols ( const QList< QByteArray > &  protocols)

This function sets the allowed protocols to be negotiated with the server through the Next Protocol Negotiation (NPN) TLS extension, each element in protocols must define one allowed protocol. The function must be called explicitly before connecting to send the NPN extension in the SSL handshake. Whether or not the negotiation succeeded can be queried through nextProtocolNegotiationStatus().

See also
nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), allowedNextProtocols(), QSslConfiguration::NextProtocolSpdy3_0, QSslConfiguration::NextProtocolHttp1_1
void QSslConfiguration::setCaCertificates ( const QList< QSslCertificate > &  certificates)

Sets this socket's CA certificate database to be certificates. The certificate database must be set prior to the SSL handshake. The CA certificate database is used by the socket during the handshake phase to validate the peer's certificate.

This method can be used on the default QSslConfiguration to set the default caCertificates.

See also
caCertificates()
void QSslConfiguration::setCiphers ( const QList< QSslCipher > &  ciphers)

Sets the cryptographic cipher suite for this socket to ciphers, which must contain a subset of the ciphers in the list returned by supportedCiphers().

Restricting the cipher suite must be done before the handshake phase, where the session cipher is chosen.

This method can be used on the default QSslConfiguration to set the default ciphers.

See also
ciphers(), supportedCiphers()
void QSslConfiguration::setDefaultConfiguration ( const QSslConfiguration &  configuration)
static

Sets the default SSL configuration to be used in new SSL connections to be configuration. Existing connections are not affected by this call.

See also
supportedCiphers(), defaultConfiguration()
void QSslConfiguration::setEllipticCurves ( const QVector< QSslEllipticCurve > &  curves)

Sets the list of elliptic curves to be used by this socket to curves, which must contain a subset of the curves in the list returned by supportedEllipticCurves().

Restricting the elliptic curves must be done before the handshake phase, where the session cipher is chosen.

See also
ellipticCurves
void QSslConfiguration::setLocalCertificate ( const QSslCertificate certificate)

Sets the certificate to be presented to the peer during SSL handshake to be certificate.

Setting the certificate once the connection has been established has no effect.

A certificate is the means of identification used in the SSL process. The local certificate is used by the remote end to verify the local user's identity against its list of Certification Authorities. In most cases, such as in HTTP web browsing, only servers identify to the clients, so the client does not send a certificate.

See also
localCertificate()
void QSslConfiguration::setLocalCertificateChain ( const QList< QSslCertificate > &  localChain)

Sets the certificate chain to be presented to the peer during the SSL handshake to be localChain.

Setting the certificate chain once the connection has been established has no effect.

A certificate is the means of identification used in the SSL process. The local certificate is used by the remote end to verify the local user's identity against its list of Certification Authorities. In most cases, such as in HTTP web browsing, only servers identify to the clients, so the client does not send a certificate.

Unlike QSslConfiguration::setLocalCertificate() this method allows you to specify any intermediate certificates required in order to validate your certificate. The first item in the list must be the leaf certificate.

See also
localCertificateChain()
void QSslConfiguration::setPeerVerifyDepth ( int  depth)

Sets the maximum number of certificates in the peer's certificate chain to be checked during the SSL handshake phase, to depth. Setting a depth of 0 means that no maximum depth is set, indicating that the whole certificate chain should be checked.

The certificates are checked in issuing order, starting with the peer's own certificate, then its issuer's certificate, and so on.

See also
peerVerifyDepth(), setPeerVerifyMode()
void QSslConfiguration::setPeerVerifyMode ( QSslSocket::PeerVerifyMode  mode)

Sets the verify mode to mode. This mode decides whether QSslSocket should request a certificate from the peer (i.e., the client requests a certificate from the server, or a server requesting a certificate from the client), and whether it should require that this certificate is valid.

The default mode is AutoVerifyPeer, which tells QSslSocket to use VerifyPeer for clients, QueryPeer for servers.

See also
peerVerifyMode()
void QSslConfiguration::setPrivateKey ( const QSslKey key)

Sets the connection's private key to key. The private key and the local certificate are used by clients and servers that must prove their identity to SSL peers.

Both the key and the local certificate are required if you are creating an SSL server socket. If you are creating an SSL client socket, the key and local certificate are required if your client must identify itself to an SSL server.

See also
privateKey(), setLocalCertificate()
void QSslConfiguration::setProtocol ( QSsl::SslProtocol  protocol)

Sets the protocol setting for this configuration to be protocol.

Setting the protocol once the connection has already been established has no effect.

See also
protocol()
void QSslConfiguration::setSessionTicket ( const QByteArray sessionTicket)

Sets the session ticket to be used in an SSL handshake. QSsl::SslOption::SslOptionDisableSessionPersistence must be turned off for this to work, and sessionTicket must be in ASN.1 format as returned by sessionTicket().

See also
sessionTicket(), QSsl::SslOption, setSslOption()
void QSslConfiguration::setSslOption ( QSsl::SslOption  option,
bool  on 
)

Enables or disables an SSL compatibility option. The value for on determines whether the option is enabled or disabled.

See also
testSslOption()
QList< QSslCipher > QSslConfiguration::supportedCiphers ( )
static

Returns the list of cryptographic ciphers supported by this system. This list is set by the system's SSL libraries and may vary from system to system.

See also
ciphers(), setCiphers()
QVector< QSslEllipticCurve > QSslConfiguration::supportedEllipticCurves ( )
static

Returns the list of elliptic curves supported by this system. This list is set by the system's SSL libraries and may vary from system to system.

See also
ellipticCurves(), setEllipticCurves()
void QSslConfiguration::swap ( QSslConfiguration &  other)
inline

Swaps this SSL configuration instance with other. This method is very fast and never fails.

QList< QSslCertificate > QSslConfiguration::systemCaCertificates ( )
static

This function provides the CA certificate database provided by the operating system. The CA certificate database returned by this function is used to initialize the database returned by caCertificates() on the default QSslConfiguration.

See also
caCertificates(), setCaCertificates(), defaultConfiguration()
bool QSslConfiguration::testSslOption ( QSsl::SslOption  option) const

Returns true if the specified SSL compatibility option is enabled.

Member Data Documentation

QSslConfiguration::NextProtocolHttp1_1
static

The value used for negotiating HTTP 1.1 during the Next Protocol Negotiation.

QSslConfiguration::NextProtocolSpdy3_0
static

The value used for negotiating SPDY 3.0 during the Next Protocol Negotiation.