Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-126610

HTTP2 Support leaks information

XMLWordPrintable

    • All
    • b1e75376c (dev), 0fb43e439 (6.8), 2b1e36e18 (6.7), 2b3048b35 (tqtc/lts-6.5), db8bd4ea2 (tqtc/lts-6.2), bb1006b78 (tqtc/lts-5.15)

      Evertime we start a TLS connection we check for our own tls verification and abort the connection in QNetworkReply::encrypted if it is not valid. Usual case....
      But if the server supports HTTP2 and send some HTTP stuff Qt will send data even if QNetworkReply::abort was called.

      In our case we manually follow a Redirect until an address matches. If the address matches check the TLS certificate only and aborts the QNetworkReply.
      As you can see in the screenshot the server will send HTTP2 SETTINGS and Qt will send the HTTP GET even the QNetworkReply was aborted.

      This helps as a work-around at the moment.
      request.setAttribute(QNetworkRequest::Http2AllowedAttribute, false);

      void dummy:example()
{
	QNetworkRequest request(mUrl);
	mReply = Env::getSingleton<NetworkManager>()->get(request);

	connect(mReply.data(), &QNetworkReply::sslErrors, this, &dummy::onSslErrors);
	connect(mReply.data(), &QNetworkReply::encrypted, this, &dummy::onSslHandshakeDone);
}

void dummy:onSslHandshakeDone()
{
   // do some stuff
   mReply->abort();
}

        1. fixed.png
          fixed.png
          237 kB
        2. whireshark.png
          whireshark.png
          307 kB
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            manordheim Mårten Nordheim
            misery André Klitzing
            Vladimir Minenko Vladimir Minenko
            Alex Blasche Alex Blasche
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: