[Development] Hacking guide for Qt's SSL Support

Craig.Scott at csiro.au Craig.Scott at csiro.au
Tue Jan 3 00:57:11 CET 2012


On 02/01/2012, at 11:06 PM, Richard Moore wrote:

> On Sun, Jan 1, 2012 at 3:51 PM, Andreas Aardal Hanssen
> <andreas at hanssen.name> wrote:
>> Hi Richard, looks really good! For Qt 4, the idea was to have several
>> backends like you write here. Still we ended up with only one, and it's not
>> really that much of a well-define backend. Especially considering it's the
>> only one ;-).
> 
> Yeah, there's no real internal API that a backend needs to implement
> right now. We could do with a Lighthouse project for this. :-)
> 
>> 
>> The other options I imagined were GnuTLS [*], and using native SSL support
>> should that exist.
>> 
>> Today the backend separation is still around but it only complicates the
>> code unless there truly are other backends to support.
>> 
>> What are your thoughts on this?
> 
> I think that there may be a need in the future to use platform
> specific SSL APIs. There is some additional complication right now,
> but I suspect that if the backend API were factored out that the
> complexity would be reduced quite a bit.
> 
> In terms of non-platform SSL backends, there have been some requests
> for an NSS backend, but I'm not sure that NSS really meets the needs
> of Qt at the moment. It reportedly has problems if you want to use it
> as a client and a server at the same time, and is also designed much
> more as an API for an application to use rather than a library. I have
> been tempted to experiment with writing a backend using polarssl which
> has a very clean API, but that wouldn't be something usable for Qt due
> to both licensing issues and relatively limited functionality.
> 

Unfortunately, OpenSSL is not part of the LSB, so if you want SSL support on linux and you want your application to be LSB compliant, you end up having to link in the OpenSSL libraries statically. That's not necessarily a bad thing from a security point of view, but it is an annoyance. NSS, on the other hand, *is* in the LSB. If NSS was able to meet Qt's needs, then it would be useful to have a NSS backend. Obviously, if NSS has issues as you mentioned, then that makes it a bit of a moot point. I don't think GnuTLS is in the LSB, but the LSB navigator site is currently down so I can't easily check.

--
Dr Craig Scott
Computational Software Engineering Team Leader, CSIRO (CMIS)
Melbourne, Australia






More information about the Development mailing list