Add the ability to do unsafe SSL renegotiation as a fallback.

This commit adds the ability to perform legacy SSL renegotiation as
a fallback via QSsl::SslOptions. This is something that used to work,
but has been disabled by default in newer versions of openssl. The
need for this has been reported by users (eg. in QTBUG-14983).

Change-Id: I5b80f3ffd07e0c5faddc469f6a8f857bac5740f7
Reviewed-by: Corentin Chary <corentin.chary@gmail.com>
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
index db72f9a519..be4ca028fb 100644
--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
@@ -141,9 +141,15 @@ QT_BEGIN_NAMESPACE
     \value SslOptionDisableServerNameIndication Disables the SSL server
     name indication extension. When enabled, this tells the server the virtual
     host being accessed allowing it to respond with the correct certificate.
+    \value SslOptionDisableLegacyRenegotiation Disables the older insecure
+    mechanism for renegotiating the connection parameters. When enabled, this
+    option can allow connections for legacy servers, but it introduces the
+    possibility that an attacker could inject plaintext into the SSL session.
 
     By default, SslOptionDisableEmptyFragments is turned on since this causes
-    problems with a large number of servers, but the other options are disabled.
+    problems with a large number of servers. SslOptionDisableLegacyRenegotiation
+    is also turned on, since it introduces a security risk. The other options
+    are turned off.
 
     Note: Availability of above options depends on the version of the SSL
     backend in use.