WIP: MainWindow, Settings: update cert pinning to prefer SHA-256. #2870
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We used to use QCryptographicHash, but Qt 4 doesn't support Sha256. To remedy that, we've implemented this class on top of OpenSSL's EVP system. Besides being able to work on Qt 4, this class also means we can add additional hash functions in the future, which are not necessarily supported by Qt, such as BLAKE2.
This commits updates Mumble's certificate pinning to prefer SHA-256. By default, Mumble will still consider a users's stored SHA-1 pins, but after the first successful connection attempt, the pin will be updated to the preferred hash (currently SHA-256).
|
I think we should clean these codepaths up by creating a separate CertificatePinEvaluator class... I believe my current implementation works, but it's hardly beautiful. |
|
Superceeded by #3128. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commits updates Mumble's certificate pinning to prefer SHA-256.
By default, Mumble will still consider a users's stored SHA-1 pins, but
after the first successful connection attempt, the pin will be updated
to the preferred hash (currently SHA-256).
Note: This PR depends on PR #2868 and includes its commits to be able to build in CI. I will fix this once PR #2868 is landed.