X-Git-Url: https://git.quassel-irc.org/?p=quassel.git;a=blobdiff_plain;f=src%2Fcore%2Fsslserver.cpp;h=29166c35515d090fe8bf41568b40d520ab2a3218;hp=ee19c20d0674732a6e623b906efca784cc001eaa;hb=56d25331d61b4b24a2805f1cf16e68f722fdaf73;hpb=4a5065255e652dd0c301bac0db41b7afb777ef49 diff --git a/src/core/sslserver.cpp b/src/core/sslserver.cpp index ee19c20d..29166c35 100644 --- a/src/core/sslserver.cpp +++ b/src/core/sslserver.cpp @@ -1,5 +1,5 @@ /*************************************************************************** - * Copyright (C) 2005-2013 by the Quassel Project * + * Copyright (C) 2005-2015 by the Quassel Project * * devel@quassel-irc.org * * * * This program is free software; you can redistribute it and/or modify * @@ -24,6 +24,7 @@ # include #endif +#include #include #include "logger.h" @@ -36,7 +37,23 @@ SslServer::SslServer(QObject *parent) _isCertValid(false) { static bool sslWarningShown = false; - if (!setCertificate(Quassel::configDirPath() + "quasselCert.pem")) { + + QString ssl_cert; + QString ssl_key; + + if(Quassel::isOptionSet("ssl-cert")) { + ssl_cert = Quassel::optionValue("ssl-cert"); + } else { + ssl_cert = Quassel::configDirPath() + "quasselCert.pem"; + } + + if(Quassel::isOptionSet("ssl-key")) { + ssl_key = Quassel::optionValue("ssl-key"); + } else { + ssl_key = ssl_cert; + } + + if (!setCertificate(ssl_cert, ssl_key)) { if (!sslWarningShown) { quWarning() << "SslServer: Unable to set certificate file\n" @@ -56,8 +73,11 @@ QTcpSocket *SslServer::nextPendingConnection() return _pendingConnections.takeFirst(); } - +#if QT_VERSION >= 0x050000 +void SslServer::incomingConnection(qintptr socketDescriptor) +#else void SslServer::incomingConnection(int socketDescriptor) +#endif { QSslSocket *serverSocket = new QSslSocket(this); if (serverSocket->setSocketDescriptor(socketDescriptor)) { @@ -75,7 +95,7 @@ void SslServer::incomingConnection(int socketDescriptor) } -bool SslServer::setCertificate(const QString &path) +bool SslServer::setCertificate(const QString &path, const QString &keyPath) { _isCertValid = false; @@ -113,18 +133,52 @@ bool SslServer::setCertificate(const QString &path) return false; } - _key = QSslKey(&certFile, QSsl::Rsa); + // load key from keyPath if it differs from path, otherwise load key from path + if(path != keyPath) { + QFile keyFile(keyPath); + if(!keyFile.exists()) { + quWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist"; + return false; + } + + if (!keyFile.open(QIODevice::ReadOnly)) { + quWarning() + << "SslServer: Failed to open key file" << qPrintable(keyPath) + << "error:" << keyFile.error(); + return false; + } + + _key = QSslKey(&keyFile, QSsl::Rsa); + keyFile.close(); + } else { + _key = QSslKey(&certFile, QSsl::Rsa); + } + certFile.close(); if (_cert.isNull()) { quWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data"; return false; } - if (!_cert.isValid()) { - quWarning() << "SslServer: Invalid certificate (most likely expired)"; + + // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid. + const QDateTime now = QDateTime::currentDateTime(); + if (now < _cert.effectiveDate()) + quWarning() << "SslServer: Certificate won't be valid before" << _cert.effectiveDate().toString(); + + else if (now > _cert.expiryDate()) + quWarning() << "SslServer: Certificate expired on" << _cert.expiryDate().toString(); + + else { // Qt4's isValid() checks for time range and blacklist; avoid a double warning, hence the else block +#if QT_VERSION < 0x050000 + if (!_cert.isValid()) +#else + if (_cert.isBlacklisted()) +#endif + quWarning() << "SslServer: Certificate blacklisted"; } if (_key.isNull()) { - quWarning() << "SslServer:" << qPrintable(path) << "contains no key data"; + quWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data"; return false; }