1 /***************************************************************************
2 * Copyright (C) 2005-2020 by the Quassel Project *
3 * devel@quassel-irc.org *
5 * This program is free software; you can redistribute it and/or modify *
6 * it under the terms of the GNU General Public License as published by *
7 * the Free Software Foundation; either version 2 of the License, or *
8 * (at your option) version 3. *
10 * This program is distributed in the hope that it will be useful, *
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
13 * GNU General Public License for more details. *
15 * You should have received a copy of the GNU General Public License *
16 * along with this program; if not, write to the *
17 * Free Software Foundation, Inc., *
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. *
19 ***************************************************************************/
21 #include "sslserver.h"
24 #include <QSslConfiguration>
30 SslServer::SslServer(QObject* parent)
33 // Keep track if the SSL warning has been mentioned at least once before
34 static bool sslWarningShown = false;
36 if (Quassel::isOptionSet("ssl-cert")) {
37 _sslCertPath = Quassel::optionValue("ssl-cert");
40 _sslCertPath = Quassel::configDirPath() + "quasselCert.pem";
43 if (Quassel::isOptionSet("ssl-key")) {
44 _sslKeyPath = Quassel::optionValue("ssl-key");
47 _sslKeyPath = _sslCertPath;
50 // Initialize the certificates for first-time usage
52 // If the core is unable to load a certificate, and "--require-ssl" is specified,
53 // do not proceed, throw an exception and quit. This prevents the core from falling
54 // back to a plaintext-only core when they should be expecting SSL/TLS only.
55 if (Quassel::isOptionSet("require-ssl")) {
56 throw ExitException{EXIT_FAILURE, tr("--require-ssl is set, but no SSL certificate is available. Exiting.")};
58 if (!sslWarningShown) {
59 qWarning() << "SslServer: Unable to set certificate file\n"
60 << " Quassel Core will still work, but cannot provide SSL for client connections.\n"
61 << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support.";
62 sslWarningShown = true;
67 void SslServer::incomingConnection(qintptr socketDescriptor)
69 auto* socket = new QSslSocket(this);
70 if (socket->setSocketDescriptor(socketDescriptor)) {
72 auto config = socket->sslConfiguration();
73 config.setLocalCertificate(_cert);
74 config.setPrivateKey(_key);
75 auto certificates = config.caCertificates();
77 config.setCaCertificates(certificates);
78 socket->setSslConfiguration(config);
80 addPendingConnection(socket);
87 bool SslServer::loadCerts()
89 // Load the certificates specified in the path. If needed, other prep work can be done here.
90 return setCertificate(_sslCertPath, _sslKeyPath);
93 bool SslServer::reloadCerts()
99 // Reloading certificates currently only occur in response to a request. Always print an
100 // error if something goes wrong, in order to simplify checking if it's working.
102 qWarning() << "SslServer: Unable to reload certificate file, reverting\n"
103 << " Quassel Core will use the previous key to provide SSL for client connections.\n"
104 << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support.";
107 qWarning() << "SslServer: Unable to reload certificate file\n"
108 << " Quassel Core will still work, but cannot provide SSL for client connections.\n"
109 << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support.";
115 bool SslServer::setCertificate(const QString& path, const QString& keyPath)
117 // Don't reset _isCertValid here, in case an older but valid certificate is still loaded.
118 // Use temporary variables in order to avoid overwriting the existing certificates until
119 // everything is confirmed good.
120 QSslCertificate untestedCert;
121 QList<QSslCertificate> untestedCA;
127 QFile certFile(path);
128 if (!certFile.exists()) {
129 qWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist";
133 if (!certFile.open(QIODevice::ReadOnly)) {
134 qWarning() << "SslServer: Failed to open certificate file" << qPrintable(path) << "error:" << certFile.error();
138 QList<QSslCertificate> certList = QSslCertificate::fromDevice(&certFile);
140 if (certList.isEmpty()) {
141 qWarning() << "SslServer: Certificate file doesn't contain a certificate";
145 untestedCert = certList[0];
146 certList.removeFirst(); // remove server cert
148 // store CA and intermediates certs
149 untestedCA = certList;
151 if (!certFile.reset()) {
152 qWarning() << "SslServer: IO error reading certificate file";
156 // load key from keyPath if it differs from path, otherwise load key from path
157 if (path != keyPath) {
158 QFile keyFile(keyPath);
159 if (!keyFile.exists()) {
160 qWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist";
164 if (!keyFile.open(QIODevice::ReadOnly)) {
165 qWarning() << "SslServer: Failed to open key file" << qPrintable(keyPath) << "error:" << keyFile.error();
169 untestedKey = loadKey(&keyFile);
173 untestedKey = loadKey(&certFile);
178 if (untestedCert.isNull()) {
179 qWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data";
183 // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid.
184 const QDateTime now = QDateTime::currentDateTime();
185 if (now < untestedCert.effectiveDate()) {
186 qWarning() << "SslServer: Certificate won't be valid before" << untestedCert.effectiveDate().toString();
188 else if (now > untestedCert.expiryDate()) {
189 qWarning() << "SslServer: Certificate expired on" << untestedCert.expiryDate().toString();
191 else if (untestedCert.isBlacklisted()) {
192 qWarning() << "SslServer: Certificate blacklisted";
195 if (untestedKey.isNull()) {
196 qWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data";
200 _certificateExpires = untestedCert.expiryDate();
201 if (_metricsServer) {
202 _metricsServer->setCertificateExpires(_certificateExpires);
207 // All keys are valid, update the externally visible copy used for new connections.
208 _cert = untestedCert;
215 QSslKey SslServer::loadKey(QFile* keyFile)
218 key = QSslKey(keyFile, QSsl::Rsa);
220 if (!keyFile->reset()) {
221 qWarning() << "SslServer: IO error reading key file";
224 key = QSslKey(keyFile, QSsl::Ec);
229 void SslServer::setMetricsServer(MetricsServer* metricsServer)
231 _metricsServer = metricsServer;
232 if (_metricsServer) {
233 _metricsServer->setCertificateExpires(_certificateExpires);