[Development] TLS extensions and supplemental data

Peter Hartmann phartmann at blackberry.com
Wed Mar 13 11:33:50 CET 2013

Looks good!

Some comments / questions:

- Do you have examples of supplemental data? It seems to me like TLS 
extensions are more important here, as they are used everywhere already.

- re. API:

What comes to my mind are the following options:
a) generic class QTlsExtension similar to QSslCertificateExtension with 
name() and QVariant value() and getter "QList<QTlsExtension> 
QSslConfiguration::tlsExtensions()" (+ respective setter). Depends on 
whether it is worth to introduce a new class.

b) enum in QSslConfiguration (e.g. 
"QSslConfiguration::TlsExtensionServerName") and getter "QVariant 
QSslConfiguration::tlsExtension(QSslConfiguration::TlsExtension)" (+ 
respective setter). Might be better because of less API than a)

c) individual getters / setters like "QVariant 
tlsExtensionServerName()"; that looks like cluttering the API.

- re. "On which object should extensions be set/retrieved?":

Maybe QSslConfiguration would be the place to set/get extensions, 
instead of QSslSocket? At least this is where we store things like the 
session cipher, certificate chain etc. IMO the API is a bit cluttered 
between those two classes, so I think we should have all of that in 

- re. "How are the extensions to be set and exposed?":

If "There is a requirement to be able to retrieve the far side extension 
prior to setting extensions", then this sounds like we need a new signal 
for QSslSocket (and probably later the same one in QNetworkReply). Rich 
was working on an "encrypted" signal which would be fired after the 
handshake and before application data was sent, but I guess this would 
be too late for some extensions then.

- re. "One-shot setter supporting a set of extensions, or ability to 
call addExtension multiple times prior to the extended hello being sent?"

I think we could combine it, by having an addExtension taking one single 
extension and maybe an overload which takes a QList or so.



On 03/08/2013 08:09 PM, Scott Deboy wrote:
> I wanted to give folks a heads-up that I'm starting work on defining an API which will give Qt the ability to retrieve and set TLS extension data sent in OpenSSL's extended hello.
> I will also be adding support for the ability to send and retrieve supplemental data messages.
> A Wiki topic has been created to work through the process of defining the API - please feel free to update/add questions or contribute to the discussion:
> http://qt-project.org/wiki/Improving_TLS_handshake_support
> Thanks much,
> Scott
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development

This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

More information about the Development mailing list