/***************************************************************************
- * Copyright (C) 2005-2014 by the Quassel Project *
+ * Copyright (C) 2005-2020 by the Quassel Project *
* devel@quassel-irc.org *
* *
* This program is free software; you can redistribute it and/or modify *
#include "sslserver.h"
-#ifdef HAVE_SSL
-# include <QSslSocket>
-#endif
+#include <QDateTime>
+#include <QSslConfiguration>
+#include <QSslSocket>
-#include <QFile>
-
-#include "logger.h"
+#include "core.h"
#include "quassel.h"
-#ifdef HAVE_SSL
-
-SslServer::SslServer(QObject *parent)
- : QTcpServer(parent),
- _isCertValid(false)
+SslServer::SslServer(QObject* parent)
+ : QTcpServer(parent)
{
+ // Keep track if the SSL warning has been mentioned at least once before
static bool sslWarningShown = false;
- if (!setCertificate(Quassel::configDirPath() + "quasselCert.pem")) {
+
+ if (Quassel::isOptionSet("ssl-cert")) {
+ _sslCertPath = Quassel::optionValue("ssl-cert");
+ }
+ else {
+ _sslCertPath = Quassel::configDirPath() + "quasselCert.pem";
+ }
+
+ if (Quassel::isOptionSet("ssl-key")) {
+ _sslKeyPath = Quassel::optionValue("ssl-key");
+ }
+ else {
+ _sslKeyPath = _sslCertPath;
+ }
+
+ // Initialize the certificates for first-time usage
+ if (!loadCerts()) {
if (!sslWarningShown) {
- quWarning()
- << "SslServer: Unable to set certificate file\n"
- << " Quassel Core will still work, but cannot provide SSL for client connections.\n"
- << " Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support.";
+ qWarning() << "SslServer: Unable to set certificate file\n"
+ << " Quassel Core will still work, but cannot provide SSL for client connections.\n"
+ << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support.";
sslWarningShown = true;
}
}
}
-
-QTcpSocket *SslServer::nextPendingConnection()
-{
- if (_pendingConnections.isEmpty())
- return 0;
- else
- return _pendingConnections.takeFirst();
-}
-
-#if QT_VERSION >= 0x050000
void SslServer::incomingConnection(qintptr socketDescriptor)
-#else
-void SslServer::incomingConnection(int socketDescriptor)
-#endif
{
- QSslSocket *serverSocket = new QSslSocket(this);
- if (serverSocket->setSocketDescriptor(socketDescriptor)) {
+ auto* socket = new QSslSocket(this);
+ if (socket->setSocketDescriptor(socketDescriptor)) {
if (isCertValid()) {
- serverSocket->setLocalCertificate(_cert);
- serverSocket->setPrivateKey(_key);
- serverSocket->addCaCertificates(_ca);
+ auto config = socket->sslConfiguration();
+ config.setLocalCertificate(_cert);
+ config.setPrivateKey(_key);
+ auto certificates = config.caCertificates();
+ certificates += _ca;
+ config.setCaCertificates(certificates);
+ socket->setSslConfiguration(config);
}
- _pendingConnections << serverSocket;
- emit newConnection();
+ addPendingConnection(socket);
}
else {
- delete serverSocket;
+ delete socket;
}
}
+bool SslServer::loadCerts()
+{
+ // Load the certificates specified in the path. If needed, other prep work can be done here.
+ return setCertificate(_sslCertPath, _sslKeyPath);
+}
-bool SslServer::setCertificate(const QString &path)
+bool SslServer::reloadCerts()
{
- _isCertValid = false;
+ if (loadCerts()) {
+ return true;
+ }
+ else {
+ // Reloading certificates currently only occur in response to a request. Always print an
+ // error if something goes wrong, in order to simplify checking if it's working.
+ if (isCertValid()) {
+ qWarning() << "SslServer: Unable to reload certificate file, reverting\n"
+ << " Quassel Core will use the previous key to provide SSL for client connections.\n"
+ << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support.";
+ }
+ else {
+ qWarning() << "SslServer: Unable to reload certificate file\n"
+ << " Quassel Core will still work, but cannot provide SSL for client connections.\n"
+ << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support.";
+ }
+ return false;
+ }
+}
+
+bool SslServer::setCertificate(const QString& path, const QString& keyPath)
+{
+ // Don't reset _isCertValid here, in case an older but valid certificate is still loaded.
+ // Use temporary variables in order to avoid overwriting the existing certificates until
+ // everything is confirmed good.
+ QSslCertificate untestedCert;
+ QList<QSslCertificate> untestedCA;
+ QSslKey untestedKey;
if (path.isEmpty())
return false;
QFile certFile(path);
if (!certFile.exists()) {
- quWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist";
+ qWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist";
return false;
}
if (!certFile.open(QIODevice::ReadOnly)) {
- quWarning()
- << "SslServer: Failed to open certificate file" << qPrintable(path)
- << "error:" << certFile.error();
+ qWarning() << "SslServer: Failed to open certificate file" << qPrintable(path) << "error:" << certFile.error();
return false;
}
QList<QSslCertificate> certList = QSslCertificate::fromDevice(&certFile);
if (certList.isEmpty()) {
- quWarning() << "SslServer: Certificate file doesn't contain a certificate";
+ qWarning() << "SslServer: Certificate file doesn't contain a certificate";
return false;
}
- _cert = certList[0];
- certList.removeFirst(); // remove server cert
+ untestedCert = certList[0];
+ certList.removeFirst(); // remove server cert
// store CA and intermediates certs
- _ca = certList;
+ untestedCA = certList;
if (!certFile.reset()) {
- quWarning() << "SslServer: IO error reading certificate file";
+ qWarning() << "SslServer: IO error reading certificate file";
return false;
}
- _key = QSslKey(&certFile, QSsl::Rsa);
+ // load key from keyPath if it differs from path, otherwise load key from path
+ if (path != keyPath) {
+ QFile keyFile(keyPath);
+ if (!keyFile.exists()) {
+ qWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist";
+ return false;
+ }
+
+ if (!keyFile.open(QIODevice::ReadOnly)) {
+ qWarning() << "SslServer: Failed to open key file" << qPrintable(keyPath) << "error:" << keyFile.error();
+ return false;
+ }
+
+ untestedKey = loadKey(&keyFile);
+ keyFile.close();
+ }
+ else {
+ untestedKey = loadKey(&certFile);
+ }
+
certFile.close();
- if (_cert.isNull()) {
- quWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data";
+ if (untestedCert.isNull()) {
+ qWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data";
return false;
}
- if (!_cert.isValid()) {
- quWarning() << "SslServer: Invalid certificate (most likely expired)";
- // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid.
+
+ // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid.
+ const QDateTime now = QDateTime::currentDateTime();
+ if (now < untestedCert.effectiveDate()) {
+ qWarning() << "SslServer: Certificate won't be valid before" << untestedCert.effectiveDate().toString();
+ }
+ else if (now > untestedCert.expiryDate()) {
+ qWarning() << "SslServer: Certificate expired on" << untestedCert.expiryDate().toString();
}
- if (_key.isNull()) {
- quWarning() << "SslServer:" << qPrintable(path) << "contains no key data";
+ else if (untestedCert.isBlacklisted()) {
+ qWarning() << "SslServer: Certificate blacklisted";
+ }
+
+ if (untestedKey.isNull()) {
+ qWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data";
return false;
}
+ _certificateExpires = untestedCert.expiryDate();
+ if (_metricsServer) {
+ _metricsServer->setCertificateExpires(_certificateExpires);
+ }
+
_isCertValid = true;
+ // All keys are valid, update the externally visible copy used for new connections.
+ _cert = untestedCert;
+ _ca = untestedCA;
+ _key = untestedKey;
+
return _isCertValid;
}
+QSslKey SslServer::loadKey(QFile* keyFile)
+{
+ QSslKey key;
+ key = QSslKey(keyFile, QSsl::Rsa);
+ if (key.isNull()) {
+ if (!keyFile->reset()) {
+ qWarning() << "SslServer: IO error reading key file";
+ return key;
+ }
+ key = QSslKey(keyFile, QSsl::Ec);
+ }
+ return key;
+}
-#endif // HAVE_SSL
+void SslServer::setMetricsServer(MetricsServer* metricsServer)
+{
+ _metricsServer = metricsServer;
+ if (_metricsServer) {
+ _metricsServer->setCertificateExpires(_certificateExpires);
+ }
+}
projects / quassel.git / blobdiff