Secure Sockets Layer (SSL) Classes¶
Classes for secure communication over network sockets.
The classes below provide support for secure network communication using the Secure Sockets Layer (SSL) protocol, using a native TLS backend, the OpenSSL Toolkit , or any appropriate TLS plugin to perform encryption and protocol handling.
This class implements server-side DTLS cookie generation and verification.
QDtlsClientVerifier.GeneratorParametersThis class defines parameters for DTLS cookie generator.
QDtls.QDtlsErrorDescribes errors that can be found by QDtls and QDtlsClientVerifier.
This class provides encryption for UDP sockets.
QDtls.HandshakeStateDescribes the current state of DTLS handshake.
This class represents Online Certificate Status Protocol response.
QOcspResponse.QOcspCertificateStatusDescribes the Online Certificate Status
QOcspResponse.QOcspRevocationReasonDescribes the reason for revocation
The QSsl namespace declares enums common to all SSL classes in Qt Network.
QSslSocket.AlertLevelDescribes the level of an alert message
QSslSocket.AlertTypeEnumerates possible codes that an alert message can have
QSslSocket.ImplementedClassEnumerates classes that a TLS backend implements
QSslSocket.SupportedFeatureEnumerates possible features that a TLS backend supports
The QSslCertificate class provides a convenient API for an X509 certificate.
The QSslCertificateExtension class provides an API for accessing the extensions of an X509 certificate.
The QSslCipher class represents an SSL cryptographic cipher.
The QSslConfiguration class holds the configuration and state of an SSL connection.
The QSslDiffieHellmanParameters class provides an interface for Diffie-Hellman parameters for servers.
Represents an elliptic curve for use by elliptic-curve cipher algorithms.
The QSslError class provides an SSL error.
The QSslKey class provides an interface for private and public keys.
The QSslPreSharedKeyAuthenticator class provides authentication data for pre shared keys (PSK) ciphersuites.
Implements an encrypted, secure TCP server over TLS.
The QSslSocket class provides an SSL encrypted socket for both clients and servers.
For Android applications see Adding OpenSSL Support for Android.
Using Encryption in Networked Applications¶
Use encryption when transporting data on any network whenever possible. Plaintext, which is unencrypted data that is easily readable, exposes sensitive data such as user information and information about network systems.
Use connectToHostEncrypted() to connect using encryption and check for SSL issues using sslHandshakeErrors() . Use ignoreSslErrors() with caution as it will create security risks in your application.
Use QSslConfiguration to enforce strong security settings. The supported protocols depend on the SSL backend and the risk level of a protocol could change in the future. You can use a newer and more secure protocol using setProtocol() . For more information, refer to SslProtocol for the available protocols.
Enabling and Disabling SSL Support when Building Qt from Source¶
When building Qt from source, Qt builds plugins for native TLS libraries that are supported for the operating system you are building for. For Windows this means Schannel , while for macOS this is Secure Transport .
On all platforms, the configuration system checks for the presence of the openssl/opensslv.h header provided by source or developer packages of OpenSSL. If found, it will enable and build the OpenSSL backend for Qt.
Note
While Qt can still support the older OpenSSL 1.1.1 version when built from sources, the builds of Qt in the Qt Online Installer require OpenSSL 3 at runtime.
By default, an OpenSSL-enabled Qt library dynamically loads any installed OpenSSL library at run-time. However, it is possible to link against the library at compile-time by configuring Qt with the -openssl-linked option.
When building a version of Qt linked against OpenSSL, Qt’s build system will use CMake’s FindOpenSSL command to find OpenSSL in several standard locations. You can set the CMake variable OPENSSL_ROOT_DIR to force a specific location.
For example:
configure -openssl-linked -- -D OPENSSL_ROOT_DIR=<openssl_dir>
To disable SSL support in a Qt build, configure Qt with the -no-openssl option.
Considerations While Packaging Your Application¶
When you package your application, you may run a tool like windeployqt. This copies all the plugins for the libraries you use to the plugins/ folder. However, for TLS you only need one backend, and you may delete the other plugins before packaging your application. For example, if you’re on Windows and don’t require any of the extra features the OpenSSL backend provides, you can choose to forego shipping the qopensslbackend plugin as well as the OpenSSL library, and simply ship the qschannelbackend plugin.
However, shipping multiple backends is not a problem. Qt will attempt to load the backends in order (with OpenSSL attempted first) until one is successfully loaded. The other backends are then unused.
Datagram Transport Layer Security¶
Datagram Transport Layer Security (DTLS) is a protocol that enables security for datagram-based applications, providing them with protection against eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol. QtNetwork enables the use of DTLS with User Datagram Protocol (UDP), as defined by RFC 6347.
Import and Export Restrictions¶
Import and export restrictions apply for some types of software, and for some parts of the world. Developers wishing to use SSL communication in their deployed applications should either ensure that their users have the appropriate libraries installed, or they should consult a suitably qualified legal professional to ensure that applications using code from the OpenSSL project are correctly certified for import and export in relevant regions of the world.
Refer to Export Control of Qt Framework and Tools for more information.