PDA

View Full Version : QSslSocket::setCiphers()



andariel
9th October 2013, 08:47
Hello everybody,

I have an issue with a working Qt-based TCP client/server application that I'm trying to securize, adding SSL to the TCP data transmission.
I could do the basic stuff successfully using QSslSocket, now I'm entering into performance issue given that encryption slows down transmission a lot.

Given that I'm the owner of client and server development I always get the safest possible cipher suite allowed by my platform and my version of OpenSSL. For example, when compiling the project for Windows and using OpenSSL1.0.1e I get: RSA-AES256-SHA.

Now, I don't want to use such a cipher suite because the performance penalty is too high for my needs. I would for example be happy with AES128 or even 3DES. But my issue is that I cannot make Qt work when trying to force such a cipher suite.

Heres' how I proceeded:
1) get the list of available ciphers for my platform, I did something like:



QList<QSslCipher> listOfCiphers = ciphers();
foreach(const QSslCipher &cipher, listOfCiphers)
{
cout << "supported cipher for SSL negociation: " << cipher.name();
}


The beginning of the result output looks like this:
supported cipher for SSL negociation: "ECDHE-RSA-AES256-GCM-SHA384"
supported cipher for SSL negociation: "ECDHE-ECDSA-AES256-GCM-SHA384"
supported cipher for SSL negociation: "ECDHE-RSA-AES256-SHA384"

[...]

starting with the most secure cipher suite, ending with the least one.

2) from there, I first tried to force the usage of a single cipher suite or a subset, doing like this:



setCiphers("ECDHE-RSA-AES128-GCM-SHA256")


or



setCiphers("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA");


In the first case (single cipher suite), the first code snippet (that gives me back supported ciphers), returns nothing ! But still, client and server were able to negociate...the same cipher suite as usual (the slowest one). So eventually its' like if my setCiphers() call was ignored, but still had an influence of what ciphers() returns.

In the second case, I try to setup a list of ciphers (separated by : ), but only one cipher suite (can' remember which one) of the list is returned by ciphers() call. And even worse, the protocol negociation seems to fail as encrypted() signal is never called.

So I would like to know if someone has already used QSslSocket::setCiphers(), and can give me some hints about how to correctly use it ? Or if not setCiphers(), any other way to force the use of a given cipher suite ?


Thanks in advance

andariel
10th October 2013, 08:42
Nobody has an idea ? I can't believe I'm the first one to use that method...