2

UPDATE

Problem persists in some PC's with Windows 7 and 10. Wireshark states that the requests are getting done with Tlsv1.0.

I read that there is a workaround adding registry keys, but though I tried it and none of them work (disabling Tls1.0 and enabling Tls1.1 and 1.2), I don't want my clients to do such a procedure. I want to tell my app to use 1.2 only.

EOU

I wrote an app using Qt, which performs standard get requests to my website in https://www.myprefix.mydomain.com.

Now, the deployed app on Windows works on computers with TLS version 1.2, but the request gets blocked if the computer has TLS 1.0 enabled. To conclude this I wrote a minimal app (hello world, are u there server?) and checked the Wireshark entries in both computers and that appears to be the only difference. According to Wireshark, if TLS1.0 is available, then my app uses TLS1.0 (regardless of the presence of 1.2) and gets blocked.

I know that 1.0 is no longer considered secure, so I want to tell my Qt app to use only TLS1.+.

I would rather not use http (later I'll get sensitive information) and not tell my clients to disable TLS1.0. Can this be hardcoded into the Qt app?

I have tried with this:

QSslConfiguration config = QSslConfiguration::defaultConfiguration();
config.setProtocol(QSsl::TlsV1_2);
QSslConfiguration::setDefaultConfiguration(config);

But the app still uses TLS1.0 when available, and the server blocks the request (rightly so).

Tal-Botvinnik
  • 91
  • 11
  • Obviously your application does not use the newer SSL libraries but finds the older libraries first and loads them. If you are using application installer for deployment you could deploy newer libraries to the application directory when the application is installed. – talamaki Apr 02 '18 at 21:04
  • @talamaki Makes sense... But I am compiling with the latest Qt in fully updated Windows 10. My guess is that those libraries come by default. I tried both using windeplotqt and by hand (ie. importing everything). Would you know where to find those libraries? – Tal-Botvinnik Apr 03 '18 at 01:30
  • Call `socket->setProtocol(QSsl::TlsV1_2)` and see if `socket->protocol()` is equal to `QSsl::TlsV1_2`. If it's not, then the picked up OpenSSL libraries do not supported it. Solution: Compile OpenSSL yourself and add the library and path in the `configure` process when building Qt. For example: `OPENSSL_LIBS_DEBUG="libeay32MTd.lib ssleay32MTd.lib" OPENSSL_LIBS_RELEASE="libeay32MT.lib ssleay32MT.lib"`. Finally check with `socket->sslLibraryBuildVersionString()`. if your library is used. I won't post an answer, because you deleted it last time while we discussed your issue. – user3606329 Apr 08 '18 at 23:51
  • Hi, you can post an answer. I deleted last thread in ordee to reopen it with new evidence and try to be more precise. I'll try your solution – Tal-Botvinnik Apr 09 '18 at 00:27

1 Answers1

2

The pre-built packages of Qt supports OpenSSL (on Windows and Linux, macOS uses the SecureTransport framework by default) but they don't provide it as there are specific restrictions in some countries regarding software with cryptographic capabilities.

Therefore, if you have your application working and didn't specifically install OpenSSL on your Windows machine, it means that there's a copy of it laying around in your system. You should find it and if possible remove the containing folder from your PATH environment variable.

Next, you should grab a recent version of OpenSSL. Then you can either copy the dlls in your application folder to ensure they get picked modify the PATH environment variable in Qt Creator (the Run part of the Project panel) so your application can find it.

Note that you currently have to use OpenSSL 1.0.X. If you want 1.1 support you can get it starting with Qt 5.10 but you would have to re-build Qt yourself.

SGaist
  • 906
  • 8
  • 33
  • 109
  • Thanks for the detailed answer. Though I find all this rather strange, since TLS is a standard protocol all of this should be easier. – Tal-Botvinnik Jun 02 '18 at 19:44