diff --git a/0001-Fix-ssl.patch b/0001-Fix-ssl.patch deleted file mode 100644 index 2dc56d3..0000000 --- a/0001-Fix-ssl.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff --git a/src/murmur/Server.cpp b/src/murmur/Server.cpp -index 22a150b6..fa77d96f 100644 ---- a/src/murmur/Server.cpp -+++ b/src/murmur/Server.cpp -@@ -1373,25 +1373,6 @@ void Server::newClient() { - sock->setPrivateKey(qskKey); - sock->setLocalCertificate(qscCert); - -- QSslConfiguration config = sock->sslConfiguration(); --#if QT_VERSION >= QT_VERSION_CHECK(5,15,0) -- // Qt 5.15 introduced QSslConfiguration::addCaCertificate(s) that should be preferred over the functions in QSslSocket -- -- // Treat the leaf certificate as a root. -- // This shouldn't strictly be necessary, -- // and is a left-over from early on. -- // Perhaps it is necessary for self-signed -- // certs? -- config.addCaCertificate(qscCert); -- -- // Add CA certificates specified via -- // murmur.ini's sslCA option. -- config.addCaCertificates(Meta::mp.qlCA); -- -- // Add intermediate CAs found in the PEM -- // bundle used for this server's certificate. -- config.addCaCertificates(qlIntermediates); --#else - // Treat the leaf certificate as a root. - // This shouldn't strictly be necessary, - // and is a left-over from early on. -@@ -1406,8 +1387,8 @@ void Server::newClient() { - // Add intermediate CAs found in the PEM - // bundle used for this server's certificate. - sock->addCaCertificates(qlIntermediates); --#endif - -+ QSslConfiguration config = sock->sslConfiguration(); - config.setCiphers(Meta::mp.qlCiphers); - #if defined(USE_QSSLDIFFIEHELLMANPARAMETERS) - config.setDiffieHellmanParameters(qsdhpDHParams); diff --git a/4414.patch b/4414.patch new file mode 100644 index 0000000..c6c7b28 --- /dev/null +++ b/4414.patch @@ -0,0 +1,43 @@ +From b47e309f3113a3c147070d42e27a2d96ecffb6b8 Mon Sep 17 00:00:00 2001 +From: MadMaurice +Date: Tue, 11 Aug 2020 22:43:02 +0200 +Subject: [PATCH] FIX(certificate): Retrieve QSslConfiguration after setting CA + +Commit bdb12c6 added a regression for servers built with QT older than version +5.15. After this commit these servers do not serve intermediate certificates +anymore. This happens because the QSslConfiguration is retrieved before adding +the CA certificates to the socket and is reinserted into the socket again after +adding the CA certificates, thereby overwriting the CA certificates added in +between. + +This commit fixes that by retrieving the QSslConfiguration just after setting +the CA certificates in case an older QT version than 5.15 is used. +--- + src/murmur/Server.cpp | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/murmur/Server.cpp b/src/murmur/Server.cpp +index 22a150b621..9b76709bf9 100644 +--- a/src/murmur/Server.cpp ++++ b/src/murmur/Server.cpp +@@ -1373,8 +1373,9 @@ void Server::newClient() { + sock->setPrivateKey(qskKey); + sock->setLocalCertificate(qscCert); + +- QSslConfiguration config = sock->sslConfiguration(); ++ QSslConfiguration config; + #if QT_VERSION >= QT_VERSION_CHECK(5,15,0) ++ config = sock->sslConfiguration(); + // Qt 5.15 introduced QSslConfiguration::addCaCertificate(s) that should be preferred over the functions in QSslSocket + + // Treat the leaf certificate as a root. +@@ -1406,6 +1407,9 @@ void Server::newClient() { + // Add intermediate CAs found in the PEM + // bundle used for this server's certificate. + sock->addCaCertificates(qlIntermediates); ++ ++ // Must not get config from socket before setting CA certificates ++ config = sock->sslConfiguration(); + #endif + + config.setCiphers(Meta::mp.qlCiphers); diff --git a/Dockerfile b/Dockerfile index bd2d6c0..024cb5f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,11 +27,11 @@ RUN apt-get update -yqq && apt-get install -yqq \ git --no-install-recommends WORKDIR /usr/src/murmur -COPY 0001-Fix-ssl.patch / +COPY 4414.patch / RUN \ git clone https://github.com/mumble-voip/mumble.git . \ && git checkout master \ - && git apply /0001-Fix-ssl.patch \ + && git apply /4414.patch \ && git submodule init \ && git submodule update