Question about QSslCipher::protocolString

Dawit A adawit at kde.org
Sun Oct 19 15:35:35 BST 2014 

Both the protocol and protocolString methods in QSslCipher return a
different value than what is expected. For example, in Qt 4.8 if you set
the protocol in QSslSocket to QSsl::TlsV1 and connect to blog.mozilla.org
port 443, you get the following output from QSslCipher:

QSslSocket Information:
==================
protocol: 5

QSslCipher Information:
=================
name: DHE-RSA-AES128-SHA
authenticationmethod: RSA
encryptionMethod: AES(128)
keyExchangeMethod: DH
protocol: 0
protocolString: SSLv3
supportedBits: 128
usedBits: 128

However if one uses openssl directly, the following information is returned:

$ openssl s_client -connect blog.mozilla.org:443

<certificate snipped>

subject=/C=US/ST=CA/L=Mountain View/O=Mozilla Corporation/CN=
generic-san.mozilla.org
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3845 bytes and written 522 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : DHE-RSA-AES128-SHA
    Session-ID:
EA0ECB6221F00F22BF082CA189CA9587EDA0572CDB6340058C2FADC0FBCE6FCA
    Session-ID-ctx:
    Master-Key:
52A00273C65B278A2BD71153C2543BA4301569C84DC68878E574F0DF6B1115930E008A1B5D293DCBF9EB04F8F3FA1121
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1413727556
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

So the negotiated protocol when using openSSL directly is returned as
TLSv1.1 where as QSslCipher almost always returns SSLv3. My question is why
the negotiated protocol in QSslCipher is different from the one we get
through openssl directly? Is the socket protocol a different thing from the
cipher protocol? If so, then what KTcpSocket::negotiatedSslVersionName()
 returns must be wrong as well.

Anyhow, I am asking this because of bug# 340047.

Since tcpslavebase.cpp calls KTcpSocket::negotiatedSslVersionName() which
in turn calls QSslCipher::protocolString() to obtain the SSL protocol used,
the SSL protocol information sent back to the clients is the one from
QSslCipher. Unfortunately that seems to almost always return "SSLv3".

I have attached the program I used to print out the contents of QSslCipher.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20141019/dc166905/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test_qsslcipher.cpp
Type: text/x-c++src
Size: 1713 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20141019/dc166905/attachment.cpp>

More information about the kde-core-devel mailing list