[Development] Adding support for a new OpenSSL API

Richard Moore rich at kde.org
Sat Feb 16 15:05:51 CET 2013


Hi Scott,

On 15 February 2013 18:29, Scott Deboy <sdeboy at secondstryke.com> wrote:
> I'm working on adding support in QT5 for a new OpenSSL API supporting TLS
> Authorization Extensions (http://tools.ietf.org/html/rfc5878) and would
> appreciate guidance on how to best expose this API, as it will only be
> available in the very latest versions of OpenSSL.

The first question is if this is something that you want just for a
single project, in which it might be best to use -openssl-linked and
simply expose a few hooks using a custom patch to Qt, or if it's
something that you'd like to make available more generally.

The requirement for a new openssl isn't a particular problem, but you
should remember that in Qt we have to support a wide range at both
compile time and run-time so putting the correct checks in place to
only use the functionality when it is available can be tricky. Also
worth remembering is that macos ships with an ancient openssl and is
therefore an ongoing pain in the neck.

> I also would also appreciate guidance on the correct way to implement this
> in QT5:
>
> The new OpenSSL API is callback-driven and modifies the handshake process by
> adding hello extensions and supplemental data.  One additional complexity is
> that each side needs to be able to read the other side's hello extensions
> and (in the client case) supplemental data prior to generating its own hello
> extension and supplemental data (all part of the handshake).

At the moment, we don't support TLS extensions in the handshake at all
really, though we do have support for SNI (which is in the client
hello). I'd love to have support for this more generally though. I
suspect an approach similar to the one I used for certificate
extensions would be a good approach that would mean we got the ability
for apps to use the authorization extensions without us actually
coding for that in Qt. You can see what I did for extensions here:

https://codereview.qt-project.org/#change,7976

One thing that might make life a little harder for you (though it
might not matter) is that last time I checked openssl didn't use the
main ASN.1 parser for TLS extensions. Another thing to consider is if
you only need this support at the QSslSocket layer, or if it should
also be exposed in QNetworkAccessManager.

>
> I have reviewed the mailing list archives and read
> http://qt-project.org/wiki/Hacking-on-Qts-SSL-Support which is helpful, but
> was hoping for more guidance.

If there's anything specific you think is missing from that page let
me know and I'll add it.

Cheers

Rich.



More information about the Development mailing list