[Pkg-owncloud-commits] [owncloud-client] 77/498: SSL: Re-use encryption session for different TCP connections #3159

Sandro Knauß hefee-guest at moszumanska.debian.org
Tue Aug 11 14:48:37 UTC 2015 

This is an automated email from the git hooks/post-receive script.

hefee-guest pushed a commit to branch master
in repository owncloud-client.

commit f2004da867d5f97b6d4c6744e8188db43ea7b082
Author: Markus Goetz <markus at woboq.com>
Date:   Fri May 8 14:21:27 2015 +0200

    SSL: Re-use encryption session for different TCP connections #3159
    
    This also improves the SSL configuration creation and fixes #3027
---
 src/libsync/account.cpp     | 27 ++++++++++++++++++---------
 src/libsync/account.h       |  2 +-
 src/libsync/networkjobs.cpp |  5 +++++
 3 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/src/libsync/account.cpp b/src/libsync/account.cpp
index c6aac47..b56d42a 100644
--- a/src/libsync/account.cpp
+++ b/src/libsync/account.cpp
@@ -310,6 +310,9 @@ QNetworkReply *Account::headRequest(const QString &relPath)
 QNetworkReply *Account::headRequest(const QUrl &url)
 {
     QNetworkRequest request(url);
+#if QT_VERSION > QT_VERSION_CHECK(4, 8, 4)
+    request.setSslConfiguration(this->getOrCreateSslConfig());
+#endif
     return _am->head(request);
 }
 
@@ -322,7 +325,7 @@ QNetworkReply *Account::getRequest(const QUrl &url)
 {
     QNetworkRequest request(url);
 #if QT_VERSION > QT_VERSION_CHECK(4, 8, 4)
-    request.setSslConfiguration(this->createSslConfig());
+    request.setSslConfiguration(this->getOrCreateSslConfig());
 #endif
     return _am->get(request);
 }
@@ -336,7 +339,7 @@ QNetworkReply *Account::davRequest(const QByteArray &verb, const QUrl &url, QNet
 {
     req.setUrl(url);
 #if QT_VERSION > QT_VERSION_CHECK(4, 8, 4)
-    req.setSslConfiguration(this->createSslConfig());
+    req.setSslConfiguration(this->getOrCreateSslConfig());
 #endif
     return _am->sendCustomRequest(req, verb, data);
 }
@@ -352,16 +355,19 @@ void Account::setSslConfiguration(const QSslConfiguration &config)
     _sslConfiguration = config;
 }
 
-QSslConfiguration Account::createSslConfig()
+QSslConfiguration Account::getOrCreateSslConfig()
 {
+    if (!_sslConfiguration.isNull()) {
+        // Will be set by CheckServerJob::finished()
+        // We need to use a central shared config to get SSL session tickets
+        return _sslConfiguration;
+    }
+
     // if setting the client certificate fails, you will probably get an error similar to this:
     //  "An internal error number 1060 happened. SSL handshake failed, client certificate was requested: SSL error: sslv3 alert handshake failure"
-  
-    // maybe this code must not have to be reevaluated every request?
-    QSslConfiguration sslConfig;
+    QSslConfiguration sslConfig = QSslConfiguration::defaultConfiguration();
     QSslCertificate sslClientCertificate;
     
-    // maybe move this code from createSslConfig to the Account constructor
     ConfigFile cfgFile;
     if(!cfgFile.certificatePath().isEmpty() && !cfgFile.certificatePasswd().isEmpty()) {
         resultP12ToPem certif = p12ToPem(cfgFile.certificatePath().toStdString(), cfgFile.certificatePasswd().toStdString());
@@ -379,14 +385,17 @@ QSslConfiguration Account::createSslConfig()
         QSslKey privateKey(_pemPrivateKey.toLocal8Bit(), QSsl::Rsa, QSsl::Pem, QSsl::PrivateKey , "");
 
         // SSL configuration
-        sslConfig.defaultConfiguration();
         sslConfig.setCaCertificates(QSslSocket::systemCaCertificates());
-        QList<QSslCertificate> caCertifs = sslConfig.caCertificates();
         sslConfig.setLocalCertificate(sslClientCertificate);
         sslConfig.setPrivateKey(privateKey);
         qDebug() << "Added SSL client certificate to the query";
     }
 
+    // Try hard to re-use session for different requests
+    sslConfig.setSslOption(QSsl::SslOptionDisableSessionTickets, false);
+    sslConfig.setSslOption(QSsl::SslOptionDisableSessionSharing, false);
+    sslConfig.setSslOption(QSsl::SslOptionDisableSessionPersistence, false);
+
     return sslConfig;
 }
 
diff --git a/src/libsync/account.h b/src/libsync/account.h
index 0ae2977..1362488 100644
--- a/src/libsync/account.h
+++ b/src/libsync/account.h
@@ -124,7 +124,7 @@ public:
     QNetworkReply* davRequest(const QByteArray &verb, const QUrl &url, QNetworkRequest req, QIODevice *data = 0);
 
     /** The ssl configuration during the first connection */
-    QSslConfiguration createSslConfig();
+    QSslConfiguration getOrCreateSslConfig();
     QSslConfiguration sslConfiguration() const { return _sslConfiguration; }
     void setSslConfiguration(const QSslConfiguration &config);
     /** The certificates of the account */
diff --git a/src/libsync/networkjobs.cpp b/src/libsync/networkjobs.cpp
index 7e92d96..55ed631 100644
--- a/src/libsync/networkjobs.cpp
+++ b/src/libsync/networkjobs.cpp
@@ -587,6 +587,11 @@ bool CheckServerJob::finished()
 {
     account()->setSslConfiguration(reply()->sslConfiguration());
 
+    if (reply()->request().url().scheme() == QLatin1String("https")
+            && reply()->sslConfiguration().sessionTicket().isEmpty()) {
+        qDebug() << "No SSL session identifier / session ticket is used, this might impact sync performance negatively.";
+    }
+
     // The serverInstalls to /owncloud. Let's try that if the file wasn't found
     // at the original location
     if ((reply()->error() == QNetworkReply::ContentNotFoundError) && (!_subdirFallback)) {

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud-client.git

More information about the Pkg-owncloud-commits mailing list