Https/ssl support in Qt 5.4

Tarostar · wrote on 24 Feb 2015, 16:27

I have written a cross platform app using QML in 5.4 that connects only to servers using secure links, i.e. HTTPS.

It works on all platforms, hurray! However, I can't quite figure out why it works as afaik openSSL is not part of Qt (or was this snuck into 5.4) and therefore I'm not confident whether the HTTPS connection is secure. Can someone shed some light on this for me, i.e. explain why it works and if the connection is secure or not?

In my quest to figure this out I have been trying to link in the openSSL libraries and add CONFIG += openssl (and also openssl-linked), but despite putting the library files in both the source and target executable folder I get the same set of warnings (see below). From my research it looks like these warnings are nothing to worry about, but I've yet to see any official explanation and I thought I'd add it here in case it is relevant to my question in the paragraph above.

QSslSocket: cannot resolve TLSv1_1_client_method
QSslSocket: cannot resolve TLSv1_2_client_method
QSslSocket: cannot resolve TLSv1_1_server_method
QSslSocket: cannot resolve TLSv1_2_server_method
QSslSocket: cannot resolve SSL_select_next_proto
QSslSocket: cannot resolve SSL_CTX_set_next_proto_select_cb
QSslSocket: cannot resolve SSL_get0_next_proto_negotiated
QSslSocket: cannot call unresolved function SSL_get0_next_proto_negotiated

Cheers.

SGaist · wrote on 24 Feb 2015, 16:47

Hi,

Qt's build to load OpenSSL dynamically but doesn't ship it, however if your on a *nix environment you almost certainly have it installed by default.

IIRC the warnings come from the fact that the loaded OpenSSL doesn't match the one used to build Qt.

CONFIG += openssl or openssl-link won't change anything. These are Qt build time switch. You can't set them for your project.

Hope it helps

Tarostar · wrote on 24 Feb 2015, 18:02

Thank you, that is what I thought. However, https urls e.g. https:\reallysecuresite.com still work when doing XMLHttpRequest on Android, iOS, Windows and Linux and surely at least iOS and Android won't have OpenSSL installed by default - or am I wrong about that?

I just want to have a decent understanding of why it works.

SGaist · wrote on 24 Feb 2015, 22:33

iOS sure no, you have to do it yourself. However there's work in progress to support the native cryptographic framework from Apple.

As for Android, AFAIK they use the javax.crypto library.

Where do you make these calls ?

Tarostar · wrote on 25 Feb 2015, 17:56

Here is a simplified (no timer for timeout, etc.) version of the JavaScript call to get the JSON data. The source depends on server instance, but is always a "https" url.

@function poll(source, onReady) {
var request = new XMLHttpRequest;
request.open("GET", source);
request.setRequestHeader("Content-type", "application/json");
request.setRequestHeader('Accept-Language', 'en');
request.onreadystatechange = function(){ onReady(request); };
request.send();
}@

This function is called from QML and the onReady function passed in simply parses the JSON and populates the QML models.

I admit I don't know enough about the https protocol, so maybe it is possible to get data over https without ssl, but I don't know how or whether this is secure.

Update: "XMLHttpRequest":http://doc.qt.io/qt-5/qtqml-javascript-qmlglobalobject.html#xmlhttprequest uses SSL for HTTPS afaik, but what I haven't been able to figure out is how Qt's implementation of XMLHttpRequest does this cross platform. For example, will it use javax.crypto library on Android, does it always use openSSL (which I've not included but it still works) or is it done in some other manner (and importantly is it secure)?