Limit SSL Protocol selection

[GoogleCodeExporter]

Qt only allows setting the allowed SSL protocol to Any (SSLv3, SSLv2,
TLSv1), SSLv3, or TLSv1, but not just SSLv3 and TLSv1.  Some https
implementations use TLSv1 and some use SSLv3, so support for both is
required.  SSLv2, however, has security issues.  Omapd as of revision 58
currently accepts any protocol.

Original issue reported on code.google.com by smat...@gmail.com on 6 Apr 2010 at 4:33

[GoogleCodeExporter]

What about making the supported SSL protocol a configuration option?
At the moment we set the SSL protocol to QSsl::AnyProtocol (cmlserver.cpp line 
148)
If we did not set the protocol explicitly the class defaults to QSsl::SslV3 . 
TLSv1 support within the class is exclusive - with respect to the others.
So what about making  TLSv1 either a cmdline option or configuration file 
option ?
That would enable support for the secure protocols and remove support for SSLv2.

Original comment by darren.l...@gmail.com on 13 Jul 2010 at 6:59

[GoogleCodeExporter]

r73 has commits that make the protocol selectable from the omapd.conf file.
This is the best that I could think of without modifying how the QSslSocket 
code itself.

Original comment by darren.l...@gmail.com on 14 Jul 2010 at 12:01

[GoogleCodeExporter]

omapd can now reject SSLv2 connections, but only does so by closing the 
connection once it has been made.  This is a limitation in Qt.

Original comment by smat...@gmail.com on 25 Sep 2011 at 8:59

• Changed state: Fixed