Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-83450

Qt incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing denial of service in TLS applications.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P1: Critical
    • Resolution: Fixed
    • Affects Version/s: 5.12.2, 5.12.3, 5.12.4, 5.12.5, 5.12.6, 5.12.7, 5.12.8, 5.13.0, 5.13.1, 5.13.2, 5.14.0, 5.14.1, 5.14.2
    • Fix Version/s: 5.12.9, 5.15.0 Beta4
    • Component/s: Network: SSL
    • Labels:
      None
    • Commits:
      8907635da59c2ae0e8db01f27b24a841b830e655 (qt/qtbase/5.15) 8ddffc6ba4f38bb8dbeb0cf61b6b10ee73505bbb (qt/qtbase/5.15) 36a8bdbc8417506513207daf4f36533a3d6632f3 (qt/tqtc-qtbase/5.12)

      Description

      In https://code.qt.io/cgit/qt/qtbase.git/commit/?id=93a803a6de27d9eb57931c431b5f3d074914f693 Qt incorrectly calls SSL_shutdown() in OpenSSL mid-handshake and the resulting error is not handled. This affects all versions >= 5.12.2.

      Additionally, there appears to be another issue that causes Qt to emit error() from unrelated QSslSocket(s). This means that closing a connection early will terminate other TLS connections leading to an extremely simple and effective denial of service attack in programs that use Qt's TLS implementation. For example, see this issue report for Mumble: https://github.com/mumble-voip/mumble/issues/3679

      For correct usage of OpenSSL, see how NGINX handles this: https://github.com/nginx/nginx/blob/65ae8b315211988a821bdc32050768f41571ddae/src/event/ngx_event_openssl.c#L2732-L2824

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            tpochep Timur Pocheptsov
            Reporter:
            tredwell Tredwell Tredwell
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes