/***************************************************************************
- * Copyright (C) 2005-2014 by the Quassel Project *
+ * Copyright (C) 2005-2016 by the Quassel Project *
* devel@quassel-irc.org *
* *
* This program is free software; you can redistribute it and/or modify *
# include <QSslSocket>
#endif
+#include <QDateTime>
#include <QFile>
#include "logger.h"
: QTcpServer(parent),
_isCertValid(false)
{
+ // Keep track if the SSL warning has been mentioned at least once before
static bool sslWarningShown = false;
- if (!setCertificate(Quassel::configDirPath() + "quasselCert.pem")) {
+
+ if(Quassel::isOptionSet("ssl-cert")) {
+ _sslCertPath = Quassel::optionValue("ssl-cert");
+ } else {
+ _sslCertPath = Quassel::configDirPath() + "quasselCert.pem";
+ }
+
+ if(Quassel::isOptionSet("ssl-key")) {
+ _sslKeyPath = Quassel::optionValue("ssl-key");
+ } else {
+ _sslKeyPath = _sslCertPath;
+ }
+
+ // Initialize the certificates for first-time usage
+ if (!loadCerts()) {
if (!sslWarningShown) {
quWarning()
<< "SslServer: Unable to set certificate file\n"
}
-bool SslServer::setCertificate(const QString &path)
+bool SslServer::loadCerts()
{
- _isCertValid = false;
+ // Load the certificates specified in the path. If needed, other prep work can be done here.
+ return setCertificate(_sslCertPath, _sslKeyPath);
+}
+
+
+bool SslServer::reloadCerts()
+{
+ if (loadCerts()) {
+ return true;
+ } else {
+ // Reloading certificates currently only occur in response to a request. Always print an
+ // error if something goes wrong, in order to simplify checking if it's working.
+ if (isCertValid()) {
+ quWarning()
+ << "SslServer: Unable to reload certificate file, reverting\n"
+ << " Quassel Core will use the previous key to provide SSL for client connections.\n"
+ << " Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support.";
+ } else {
+ quWarning()
+ << "SslServer: Unable to reload certificate file\n"
+ << " Quassel Core will still work, but cannot provide SSL for client connections.\n"
+ << " Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support.";
+ }
+ return false;
+ }
+}
+
+
+bool SslServer::setCertificate(const QString &path, const QString &keyPath)
+{
+ // Don't reset _isCertValid here, in case an older but valid certificate is still loaded.
+ // Use temporary variables in order to avoid overwriting the existing certificates until
+ // everything is confirmed good.
+ QSslCertificate untestedCert;
+ QList<QSslCertificate> untestedCA;
+ QSslKey untestedKey;
if (path.isEmpty())
return false;
return false;
}
- _cert = certList[0];
+ untestedCert = certList[0];
certList.removeFirst(); // remove server cert
// store CA and intermediates certs
- _ca = certList;
+ untestedCA = certList;
if (!certFile.reset()) {
quWarning() << "SslServer: IO error reading certificate file";
return false;
}
- _key = QSslKey(&certFile, QSsl::Rsa);
+ // load key from keyPath if it differs from path, otherwise load key from path
+ if(path != keyPath) {
+ QFile keyFile(keyPath);
+ if(!keyFile.exists()) {
+ quWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist";
+ return false;
+ }
+
+ if (!keyFile.open(QIODevice::ReadOnly)) {
+ quWarning()
+ << "SslServer: Failed to open key file" << qPrintable(keyPath)
+ << "error:" << keyFile.error();
+ return false;
+ }
+
+ untestedKey = QSslKey(&keyFile, QSsl::Rsa);
+ keyFile.close();
+ } else {
+ untestedKey = QSslKey(&certFile, QSsl::Rsa);
+ }
+
certFile.close();
- if (_cert.isNull()) {
+ if (untestedCert.isNull()) {
quWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data";
return false;
}
- if (!_cert.isValid()) {
- quWarning() << "SslServer: Invalid certificate (most likely expired)";
- // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid.
+
+ // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid.
+ const QDateTime now = QDateTime::currentDateTime();
+ if (now < untestedCert.effectiveDate())
+ quWarning() << "SslServer: Certificate won't be valid before" << untestedCert.effectiveDate().toString();
+
+ else if (now > untestedCert.expiryDate())
+ quWarning() << "SslServer: Certificate expired on" << untestedCert.expiryDate().toString();
+
+ else { // Qt4's isValid() checks for time range and blacklist; avoid a double warning, hence the else block
+#if QT_VERSION < 0x050000
+ if (!untestedCert.isValid())
+#else
+ if (untestedCert.isBlacklisted())
+#endif
+ quWarning() << "SslServer: Certificate blacklisted";
}
- if (_key.isNull()) {
- quWarning() << "SslServer:" << qPrintable(path) << "contains no key data";
+ if (untestedKey.isNull()) {
+ quWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data";
return false;
}
_isCertValid = true;
+ // All keys are valid, update the externally visible copy used for new connections.
+ _cert = untestedCert;
+ _ca = untestedCA;
+ _key = untestedKey;
+
return _isCertValid;
}