Hi Scott, On 15 February 2013 18:29, Scott Deboy <[email protected]> wrote: > I'm working on adding support in QT5 for a new OpenSSL API supporting TLS > Authorization Extensions (http://tools.ietf.org/html/rfc5878) and would > appreciate guidance on how to best expose this API, as it will only be > available in the very latest versions of OpenSSL.
The first question is if this is something that you want just for a single project, in which it might be best to use -openssl-linked and simply expose a few hooks using a custom patch to Qt, or if it's something that you'd like to make available more generally. The requirement for a new openssl isn't a particular problem, but you should remember that in Qt we have to support a wide range at both compile time and run-time so putting the correct checks in place to only use the functionality when it is available can be tricky. Also worth remembering is that macos ships with an ancient openssl and is therefore an ongoing pain in the neck. > I also would also appreciate guidance on the correct way to implement this > in QT5: > > The new OpenSSL API is callback-driven and modifies the handshake process by > adding hello extensions and supplemental data. One additional complexity is > that each side needs to be able to read the other side's hello extensions > and (in the client case) supplemental data prior to generating its own hello > extension and supplemental data (all part of the handshake). At the moment, we don't support TLS extensions in the handshake at all really, though we do have support for SNI (which is in the client hello). I'd love to have support for this more generally though. I suspect an approach similar to the one I used for certificate extensions would be a good approach that would mean we got the ability for apps to use the authorization extensions without us actually coding for that in Qt. You can see what I did for extensions here: https://codereview.qt-project.org/#change,7976 One thing that might make life a little harder for you (though it might not matter) is that last time I checked openssl didn't use the main ASN.1 parser for TLS extensions. Another thing to consider is if you only need this support at the QSslSocket layer, or if it should also be exposed in QNetworkAccessManager. > > I have reviewed the mailing list archives and read > http://qt-project.org/wiki/Hacking-on-Qts-SSL-Support which is helpful, but > was hoping for more guidance. If there's anything specific you think is missing from that page let me know and I'll add it. Cheers Rich. _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
