[WebUI]: exclude insecure ciphers

2024-10-22 10:46:04 +03:00 · 2017-02-05 15:00:58 +08:00 · 2017-02-05 15:00:58 +08:00 · 7aef9828c9
commit 7aef9828c9
parent 18ad972936
2 changed files with 29 additions and 0 deletions
--- a/src/base/http/server.cpp
+++ b/src/base/http/server.cpp
@ -47,6 +47,9 @@ Server::Server(IRequestHandler *requestHandler, QObject *parent)
 #endif
 {
    setProxy(QNetworkProxy::NoProxy);
+#ifndef QT_NO_OPENSSL
+    QSslSocket::setDefaultCiphers(safeCipherList());
+#endif
 }

 Server::~Server()
@ -103,3 +106,26 @@ void Server::incomingConnection(int socketDescriptor)
        serverSocket->deleteLater();
    }
 }
+
+#ifndef QT_NO_OPENSSL
+QList<QSslCipher> Server::safeCipherList() const
+{
+    const QStringList badCiphers = {"idea", "rc4"};
+    const QList<QSslCipher> allCiphers = QSslSocket::supportedCiphers();
+    QList<QSslCipher> safeCiphers;
+    foreach (const QSslCipher &cipher, allCiphers) {
+        bool isSafe = true;
+        foreach (const QString &badCipher, badCiphers) {
+            if (cipher.name().contains(badCipher, Qt::CaseInsensitive)) {
+                isSafe = false;
+                break;
+            }
+        }
+
+        if (isSafe)
+            safeCiphers += cipher;
+    }
+
+    return safeCiphers;
+}
+#endif
--- a/src/base/http/server.h
+++ b/src/base/http/server.h
@ -36,6 +36,7 @@
 #include <QTcpServer>
 #ifndef QT_NO_OPENSSL
 #include <QSslCertificate>
+#include <QSslCipher>
 #include <QSslKey>
 #endif

@ -68,6 +69,8 @@ namespace Http
 #endif

 #ifndef QT_NO_OPENSSL
+        QList<QSslCipher> safeCipherList() const;
+
        bool m_https;
        QList<QSslCertificate> m_certificates;
        QSslKey m_key;