Re: [Interest] SSL broken hard on OSX
On quarta-feira, 21 de setembro de 2016 20:07:00 PDT Jason H wrote: > 2. How do I use SecureTransport in Qt? (I googled) > a. Is this a .pro option? > b. Is this a recompile Qt thing? Do not pass -openssl to configure. It will use SecureTransport by default. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] SSL broken hard on OSX
> Am 21.09.2016 um 20:07 schrieb Jason H : > > >>> Does anyone know how I can fix (not hide) these issues? >> >> Option 1) upgrade OpenSSL >> >> Option 2) use the native backend (SecureTransport) for SSL, not OpenSSL. >> SecureTransport is the default in Qt 5.6. > > Thanks Thiago! But instructions are there instructions? Questions I have: > 1. Which OpenSSL? The latest, stable version currently available on https://www.openssl.org/ ;) > a. How do I identify which OpenSSL Qt is using By understanding how Qt locates dynamic libraries (using dlopen and friends). http://doc.qt.io/qt-5/ssl.html So it depends on the platform and "where Qt looks first". > b. How do I upgrade it? (Brew?) Also possible. But be aware that when you distribute your application that you need to bundle the libs with your application bundle. You may need to become friends with the "install_name_tool" in that case: http://stackoverflow.com/questions/33991581/install-name-tool-to-update-a-executable-to-search-for-dylib-in-mac-os-x > c. Must I specify a custom version in the .pro Qt searches "dynamically" (dlopen) for suitable libraries (I think in the Qt docs "How to deploy your Qt application" it is described in detail). You can also define the OpenSSL library at compile time. http://doc.qt.io/qt-5/ssl.html > 2. How do I use SecureTransport in Qt? (I googled) > a. Is this a .pro option? Should be working "out of the box" when using Qt 5.6 and QSslSocket. > b. Is this a recompile Qt thing? Should be the default compile option since Qt 5.6 - so I strongly assume the stock Qt binary is compiled like this. Cheers, Oliver___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] SSL broken hard on OSX
> Am 21.09.2016 um 20:01 schrieb Thiago Macieira : > >> On quarta-feira, 21 de setembro de 2016 19:52:45 PDT Jason H wrote: >> I am on OSX 10.11.5. I've been using SSL successfully for a while, and I >> fell into a habit of ignoring qt.network.ssl warnings: qt.network.ssl: >> ... >> >> But it seems now TLS is no longer working at all. I can't do any work >> because everything happens over SSL, specifically TLSv1_2. >> >> Does anyone know how I can fix (not hide) these issues? > > Option 1) upgrade OpenSSL Just to add to this: using OpenSSL on OS X/macOS is highly discouraged by Apple these days. The stock version is some stoneage 0.9.8zf version, and recent Xcode/platform SDKs don't even ship with OpenSSL headers: https://forums.developer.apple.com/thread/3897 "Since the version of openssl shipping with El Capitan is 0.9.8zf, it's not much use anyway since it doesn't include TLS 1.2." and "Sadly, it looks like we're not supposed to use it any more. As you say, it's included in the 10.10 SDK, but is deliberately missing from the 10.11 SDK." So you need to build your own OpenSSL library from its latest sources and bundle it with your application. Taking the responsibility to update your application each time a critical error is found in OpenSSL. > > Option 2) use the native backend (SecureTransport) for SSL, not OpenSSL. > SecureTransport is the default in Qt 5.6. On the other hand if you do as Thiago suggests (and I join in here), then the OS vendor takes care of keeping a security relevant component up to date, namely SecureTransport. Cheers, Oliver___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] SSL broken hard on OSX
> Sent: Wednesday, September 21, 2016 at 2:07 PM > From: "Jason H" > To: "Thiago Macieira" > Cc: interest@qt-project.org > Subject: Re: [Interest] SSL broken hard on OSX > > > > > Does anyone know how I can fix (not hide) these issues? > > > > Option 1) upgrade OpenSSL > > > > Option 2) use the native backend (SecureTransport) for SSL, not OpenSSL. > > SecureTransport is the default in Qt 5.6. > > Thanks Thiago! But instructions are there instructions? Questions I have: > 1. Which OpenSSL? > a. How do I identify which OpenSSL Qt is using > b. How do I upgrade it? (Brew?) > c. Must I specify a custom version in the .pro > 2. How do I use SecureTransport in Qt? (I googled) > a. Is this a .pro option? > b. Is this a recompile Qt thing? While I'm still curios about SecureTransport... Brew gave me this handy message: $ brew link --force openssl Warning: Refusing to link: openssl Linking keg-only openssl means you may end up linking against the insecure, deprecated system OpenSSL while using the headers from Homebrew's openssl. Instead, pass the full include/library paths to your compiler e.g.: -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib LIBS += -L/usr/local/opt/openssl/lib Works! ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] SSL broken hard on OSX
> > Does anyone know how I can fix (not hide) these issues? > > Option 1) upgrade OpenSSL > > Option 2) use the native backend (SecureTransport) for SSL, not OpenSSL. > SecureTransport is the default in Qt 5.6. Thanks Thiago! But instructions are there instructions? Questions I have: 1. Which OpenSSL? a. How do I identify which OpenSSL Qt is using b. How do I upgrade it? (Brew?) c. Must I specify a custom version in the .pro 2. How do I use SecureTransport in Qt? (I googled) a. Is this a .pro option? b. Is this a recompile Qt thing? ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] SSL broken hard on OSX
On quarta-feira, 21 de setembro de 2016 19:52:45 PDT Jason H wrote: > I am on OSX 10.11.5. I've been using SSL successfully for a while, and I > fell into a habit of ignoring qt.network.ssl warnings: qt.network.ssl: > QSslSocket: cannot resolve SSL_set_psk_client_callback qt.network.ssl: > QSslSocket: cannot resolve TLSv1_1_client_method > qt.network.ssl: QSslSocket: cannot resolve TLSv1_2_client_method > qt.network.ssl: QSslSocket: cannot resolve TLSv1_1_server_method > qt.network.ssl: QSslSocket: cannot resolve TLSv1_2_server_method > qt.network.ssl: QSslSocket: cannot resolve SSL_select_next_proto > qt.network.ssl: QSslSocket: cannot resolve SSL_CTX_set_next_proto_select_cb > qt.network.ssl: QSslSocket: cannot resolve SSL_get0_next_proto_negotiated > > But it seems now TLS is no longer working at all. I can't do any work > because everything happens over SSL, specifically TLSv1_2. > > Does anyone know how I can fix (not hide) these issues? Option 1) upgrade OpenSSL Option 2) use the native backend (SecureTransport) for SSL, not OpenSSL. SecureTransport is the default in Qt 5.6. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
[Interest] SSL broken hard on OSX
I am on OSX 10.11.5. I've been using SSL successfully for a while, and I fell into a habit of ignoring qt.network.ssl warnings: qt.network.ssl: QSslSocket: cannot resolve SSL_set_psk_client_callback qt.network.ssl: QSslSocket: cannot resolve TLSv1_1_client_method qt.network.ssl: QSslSocket: cannot resolve TLSv1_2_client_method qt.network.ssl: QSslSocket: cannot resolve TLSv1_1_server_method qt.network.ssl: QSslSocket: cannot resolve TLSv1_2_server_method qt.network.ssl: QSslSocket: cannot resolve SSL_select_next_proto qt.network.ssl: QSslSocket: cannot resolve SSL_CTX_set_next_proto_select_cb qt.network.ssl: QSslSocket: cannot resolve SSL_get0_next_proto_negotiated But it seems now TLS is no longer working at all. I can't do any work because everything happens over SSL, specifically TLSv1_2. Does anyone know how I can fix (not hide) these issues? ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest