Details
-
User Story
-
Resolution: Done
-
P2: Important
-
6.1
-
None
-
Windows
-
5
Description
Switch the default builds to use -schannel configure flag, instead of relying on openssl.
This would allow users of the default Qt builds that need basic SSL/TLS functionality - like Qt Creator - to not ship OpenSSL libraries.
This would have following advantages
- Less issues with packaging
- Less need to follow up upstream releases for security issues
- No need to separately declare OpenSSL in export classification documents etc
Anyhow, there are also some loss in functionality (quoting from https://bugreports.qt.io/browse/QTBUG-62637?focusedCommentId=471900):
- PSK support is not available (documentation from Microsoft is lacking and it seems to be a binary choice (i.e. you either have to use PSK for the connection or PSK is completely unavailable)).
- TLS 1.3 is not available (there's an enum value for it, but it errors out if you use it).
- ALPN / HTTP2 is only available for windows 8.1 and up but not available if you compile with MinGW because it doesn't have all the necessary things available.
- DTLS support is not implemented (can be done, but hasn't been a priority outside of having it work for openssl)
- Specifying ciphers is not available.
- this issue
Attachments
Issue Links
- depends on
-
QTBUG-65922
Pluggable SSL backends
-
- Closed
-
- relates to
-
QTBUG-62637
[Windows]: Add support for using Secure Channel for SSL sockets
-
- Closed
-