h1. Improving Qt's SSL Support Qt has pretty good support for SSL that is sufficient for a lot of common uses, but the SSL support is missing a number of features that exist in applications such as firefox, internet explorer or opera. In addition, whilst Qt uses openssl for the underlying implementation of SSL, it only provides an API for using a small subset of the available facilities. I've been doing some work to enhance the SSL support in Qt, and have been asked to put together this page, which is a cross-between a TODO list, a set of links to existing solutions, and a pie in the sky wishlist. h2. Areas for Improvement There are a number of missing facilities in Qt's SSL support right now, here's a rough list cross-referenced with the QT-BUG tracking number: * No support for OCSP (online certificate status protocol), QTBUG-12812 * No support of EV (extended validation) certificates, QTBUG-12815 * No support for SNI (server name indication) extension, QTBUG-1352 * No support for intermediate certificates when acting as a server socket, QTBUG-13281 * No DNS pinning (though there is a DNS cache minimising this issue), QTBUG-12814 * No simple API for only enabling SSL3 and TLS1 while disabling SSL2, QTBUG-12338 and QTBUG-15220 * No API for the SSL context, QTBUG-14983 * No support for creating certificates It should be noted that most of these issues only affect a tiny minority of possible uses, that said, wouldn't it be nice if we had support for them in Qt with a nice API! h2. Work Underway This would be a depressing page, if it wasn't for the fact that these issues are being addressed. So, let's look at the areas where progress is already being made: h3. (OCSP) Online Certificate Status Protocol Support I've implemented the basic facilities required for OCSP support in Qt, specifically accessors for the AIA field of the certificate, and classes to generate and validate OCSP requests/responses. Still remaining is the integration of this code into the QNetworkAccessManager and QSslSocket classes, and a cache of the results. As of Jan 2011 this is actively moving forward. The code is currently in my personal clone at http://qt.gitorious.org/~rich/qt/richs-clone/commits/fix-wildcard-certificates h3. (SNI) Server Name Indication There's a merge request that needs some work at http://qt.gitorious.org/qt/qt/merge_requests/1574 and in addition to the original author, a couple of other developers have expressed an interest in getting this one tidied up and merged. h3. SSL Context API There appears to be active work from Nokia on this issue, as can be seen from the task tracker in QTBUG-14983. This will also allow sharing of the the SSL context between requests removing the need for round trips and SSL negotiation each time. h2. Solved Issues This section is for areas that have been put to bed: * Qt uses shell globs for wildcards rather than the newer more restrictive policies. QTBUG-4455 [resolved] h2. To Do Lists Mine is roughly this: * OCSP * Intermediate certificates for server sockets * Enable SSL3/TLS1 but disable SSL2 * EV certificates