Qt application - uses TLS1.0 - qt

UPDATE
Problem persists in some PC's with Windows 7 and 10. Wireshark states that the requests are getting done with Tlsv1.0.
I read that there is a workaround adding registry keys, but though I tried it and none of them work (disabling Tls1.0 and enabling Tls1.1 and 1.2), I don't want my clients to do such a procedure. I want to tell my app to use 1.2 only.
EOU
I wrote an app using Qt, which performs standard get requests to my website in https://www.myprefix.mydomain.com.
Now, the deployed app on Windows works on computers with TLS version 1.2, but the request gets blocked if the computer has TLS 1.0 enabled. To conclude this I wrote a minimal app (hello world, are u there server?) and checked the Wireshark entries in both computers and that appears to be the only difference. According to Wireshark, if TLS1.0 is available, then my app uses TLS1.0 (regardless of the presence of 1.2) and gets blocked.
I know that 1.0 is no longer considered secure, so I want to tell my Qt app to use only TLS1.+.
I would rather not use http (later I'll get sensitive information) and not tell my clients to disable TLS1.0. Can this be hardcoded into the Qt app?
I have tried with this:
QSslConfiguration config = QSslConfiguration::defaultConfiguration();
config.setProtocol(QSsl::TlsV1_2);
QSslConfiguration::setDefaultConfiguration(config);
But the app still uses TLS1.0 when available, and the server blocks the request (rightly so).

The pre-built packages of Qt supports OpenSSL (on Windows and Linux, macOS uses the SecureTransport framework by default) but they don't provide it as there are specific restrictions in some countries regarding software with cryptographic capabilities.
Therefore, if you have your application working and didn't specifically install OpenSSL on your Windows machine, it means that there's a copy of it laying around in your system. You should find it and if possible remove the containing folder from your PATH environment variable.
Next, you should grab a recent version of OpenSSL. Then you can either copy the dlls in your application folder to ensure they get picked modify the PATH environment variable in Qt Creator (the Run part of the Project panel) so your application can find it.
Note that you currently have to use OpenSSL 1.0.X. If you want 1.1 support you can get it starting with Qt 5.10 but you would have to re-build Qt yourself.

Related

Qt application running with `-platform offscreen` argument cannot establish websocket connection

I have a GUI application which contains a websocket server QWebSocketServer. I also have a python script which sends messages and the application processes them. Everything works well. During testing I wanted to run the application in headless mode using -platform offscreen command line argument added to the app executable name (I changed nothing else). But the problem is that when the application runs off-screen, the client script cannot establish connection with the web socket server. I tested this on localhost only. I do not understand how this two things, visibility of GUI and websockets, can interfere. Any ideas what could go wrong?
Note: I am using Qt 5.11.1 64-bit with VS 2017 on Windows 10 Pro.
A platform plugin is a bit more than merely "GUI". The -platform option selects a family of platform-specific plugins. Perhaps some plugins that make networking work are absent on that platform spec. That's very likely, since the offscreen platform is only a proof-of-concept: it's to show how you'd write a platform plugin. It's example code, and it does the bare minimum needed. It's nothing that you should be using for production without fully understanding what's there and how it works - it wasn't not meant for it, at least not the last time I looked at it. It shouldn't be hard to make it work, but you'd need to clone the source and start hacking on it.

"Swing-Shell" java.lang.InternalError: Could not initialize COM: HRESULT=0x80010106

I have a Java 9 app that I'm trying to package for the Windows Store. The strange thing is that it works as expected when I run the exe-launcher directly, but I get the following strange error when I run the launcher via the APPX package:
Exception in thread "Swing-Shell" java.lang.InternalError: Could not
initialize COM: HRESULT=0x80010106
at java.desktop/sun.awt.shell.Win32ShellFolderManager2.initializeCom(Native Method)
at java.desktop/sun.awt.shell.Win32ShellFolderManager2$ComInvoker$1.run(Unknown Source at java.base/java.lang.Thread.run(Unknown Source)
HRESULT=0x80010106 means RPC_E_CHANGED_MODE which I guess means that COM is somehow already initialized in MTA mode. But why is this only an issue in the Windows Bridge sandbox? Does the Windows Bridge somehow pre-initialize COM somehow for some reason?
I'm not sure if this is a Java 9 issue, or a Desktop Bridge issue, or both. Does anybody have any ideas on how to identify the cause of the issue or workaround?
I have made a minimal Sample Project to reproduce the issue
The application works when executed directly, but not when executed via the APPX launcher. Why?
Analysis
The JDK parts, that rely on COM being initialized (D3DPipeline, Sound and windows shellfolder access) all follow the same pattern:
the run the code in a separate thread
for this thread CoInitialize is called
at the end of the user level code CoUnitialize is called
This is in line with the documentation the MSDN holds for COM and the analysis is correct, the error indicates, that the COM subsystem is already initialized to be MTA threaded.
So I modified the java launcher (jvm.dll) and inserted
debugging statements into some of the native methods in os_windows.cpp.
I focused on the threading methods. What I found was this:
create_main_thread, create_os_thread, pd_start_thread all
run with COM not yet initialized
the native thread initializer (thread_native_entry) is already
running with COM initialized
I looked more into in _beginthreadex and indeed I finally found a lead
on stackoverflow. That pointed me to the sourcecode of threadex.c,
which is part of the Visual Studio 2013 Express Installation.
There you find, that _beginthreadex does not directly start the
supplied thread function, but runs a library initializer
(_threadstartex) first. Part of this initializer reads:
_ptd->_initapartment = __crtIsPackagedApp();
if (_ptd->_initapartment)
{
_ptd->_initapartment = _initMTAoncurrentthread();
}
_callthreadstartex();
_crtIsPackagedApp detects via a kernel function if the application is
run as a "PackagedApp" (i.e. AppX package) and if so, then the
RoInitialize function is called, which from my understanding acts like the big
brother of CoInitialize.
Long story short: If your application is build with Visual Studio 2013
and run as a packaged application, you get a broken environment.
It was confirmed, that the working versions of the Oracle JDK were build with VS2010 SP1 and the broken version was build with VS2013SP4.
Workaround
With the above information google finally found a reference, that supports the analysis:
https://blogs.msdn.microsoft.com/vcblog/2016/07/07/using-visual-c-runtime-in-centennial-project/
Quote from that article:
Note that the existing VC++ 12.0 libraries created during the
Windows 8 timeframe have runtime checks to determine whether the
app is running under the app container or not. When running
desktop apps as a packaged app, these checks might limit the
functionality of the desktop app or cause it to behave like a UWA
(Universal Windows Application) (limited file system access or
create thread initializing MTA etc.). We have fixed this behavior
in the VC++ libraries contained in these framework packages and
thus removing the modern app limitations from your desktop
applications.
So I see to options to fix applications, that shall be distributed as AppX packages:
either force the users to have the updates VC++ 12.0 binaries installed (by introducing the dependency cited in the blog post) or
replace the msvcr120.dll that is bundled with Java 9 (and I assume also Java 10) with the fixed version from the update packages
I would go with the second version and I tested this. Starting with a clean up-to-date Windows 10 System, I installed JDK 9.0.4, I cloned the supplied testcase, modified it use the locally installed JRE (not the JDK!) and build the appx package. Running this, I reproduced the problem. I then replaced the msvcr120.dll's in the JRE folder of my systems installation with the one contained in the APPX container from:
https://www.microsoft.com/en-us/download/details.aspx?id=53176
Hint: *.appx are just ZIP files with additional signatures, so you can
just rename them and extract the contents.
I rebuild the testcase and it is working as it should (no COM
initialization errors anymore).

AS400 iSeries Client Access multiple versions

We are running an AS400 v5r2 and I have iSeries Client access installed. Since v5r2 does not support a x64 ODBC driver does anyone know how I can either install two versions (v5r4 supports x64) of iSeries Client Access on the same box or just install the x64 odbc driver from the more recent version without uninstalling all of v5r2 components.
Installing two versions of Client Access is probably not going to work, since both register their ODBC drivers with the same name, so only one would be available at a given time.
OTOH the PC side of V5R4 Client Access would probably work without problem with a V5R2 OS/400; perhaps even 6.1 iSeries Access, too. So you can upgrade the x64 box and check whether everything is working. FYI, I had problems with the first versions of 6.1 iSeries Access when running on x64 boxes, later versions were a bit better; also, I do not remember that V5R4 Client Access had a 64-bit variant at all.
Do not forget that on a x64 PC, there are two different ODBC drivers, one for 32-bit applications (stored on C:\WINDOWS\SysWOW64\cwbodbc.dll and that you can manage with the 32-bit administradorC:\WINDOWS\SysWOW64\odbcad32.exe), and another one for 64-bit applications (stored on C:\WINDOWS\System32\cwbodbc.dll and that you can manage with the 64-bit administrador C:\WINDOWS\System32\odbcad32.exe.) Unless your application is recompiled for 64-bit, what you are interested in is the former one, and if V5R2 Client Access runs flawlessly on that PC, everything is fine. Some applications like Office 2010 come in two flavours, but precisely for compatibility reasons like ODBC, it is still recommended to run the 32-bit variant even on 64-bit workstations.
1) V5R2 is very dead. You aren't going to get a lot of help when it comes to supporting an OS this old.
2) V5R4 is also dead.
3) Generally speaking, IBM intends that Client Access will work for operating systems two levels back and two levels ahead, so you could try using a V5R4 ODBC driver against a V5R2 DB2. The issue is going to be getting a V5R4 version of Client Access.
4) If you have questions about admin issues like this, Server Fault is probably the better choice.
EDIT: Add details of Client Access installation
Client Access has two logical pieces, a server side component and a client side component. Both pieces are available in the IFS, in the QIBM directory tree. If you have an already-working setup of Client Access on the server side, you can install the client side one of two ways:
1) Map a network drive to the IFS and run setup from there. This obviously won't be helpful to you because the V5R2 software doesn't support x64. If you are still under software maintenance, you could order a newer version of Client Access and install it on the server, and then use the newer version to install the needed ODBC driver.
2) Use the IBM-supplied CD to install the client component directly on the client. This allows you to install a different client version than the one on the server. Not generally recommended but in the case where you're migrating away from an unsupported machine, it's probably not a big worry. If your company ordered V5R4 at any time, you have the Client Access CDs.
The key thing for you is that you don't need to install the full Access product if all you need is the ODBC driver.
The biggest problem facing you is the age of the software. IBM stopped supporting V5R4 in Sep 2013. You aren't going to be able to place an order for it with IBM. You might be able to order V6R1 but the ODBC driver may not work with V5R2 - you'd have to try it. See the IBM i Access web site for details, but it's not downloadable.
If you can use OLEDB, try IBM's FTP site.

Machine Key generation feature not exist in latest IIS Version

Answering one of the recent question on SO, i encountered this anomaly.
This msdn blog suggests using IIS to generate machine key, which looks more secure to me as Microsoft tool being used. However, it seems this feature is only supported until IIS 7 or less.
I don't find it on my box IIS 8.5. I checked on IIS 7.5 and its not present there either. However, I found it in IIS 6.1 on a coworker box.
I am wondering whether:
It still exist in IIS latest versions, if yes, how to use it?
If it is removed from latest version of IIS, what's suggested approach from Microsoft to generate a secure enough machine key?
Is it safe to use these custom generators?
a. Machine Key Generator (online)
b. ASP.NET machineKey Generator (tool you can modify)
See https://support.microsoft.com/kb/2915218#AppendixA for information on how to generate a <machineKey> element. There's a script there that you can copy & paste into a Powershell window.
Reminder: only use keys that you generated yourself on your own machine. Never use an online generator.
As for mentioned by #ryanulit, you can just copy the script directly to your PowerShell window
Steps :
Open powershell window (anywhere is fine)
Copy the script from the microsoft link and paste in your powershell window and press enter
Type Generate-MachineKey -validationAlgorithm SHA1
That's it. Your machine key description will show up in the window.
PowerShell image sample from my PC
Script Link from Microsoft http://support.microsoft.com/kb/2915218#AppendixA
I know I came to very late to provide this answer. Hope this helps for any others.
I'm using the latest IIS 10(which is the latest)
By default, the Machine Key feature is not installed when enabling the Internet Information Service in the windows features.
You need to install ASP.NET XX from the World Wide Web Service
After installing this, you can generate your keys from the Machine Key Option.
Make a copy of the administration.config file in C:\Windows\System32\inetsrv\config. Then, in the <moduleProviders> node under <!-- ASP.NET Modules--> remove the MachineKey node. Then run iisreset. Re-open IIS and see if the ASP.NET area is present. If it is, put the MachineKey node back in the administration.config file (or just re-instate the original config file) and run iisreset again.

How can I enable auto-updates in a Qt cross-platform application?

I love applications that are able to update themselves without any effort from the user (think: Sparkle framework for Mac). Is there any code/library I can leverage to do this in a Qt application, without having to worry about the OS details?
At least for Windows, Mac and user-owned Linux binaries.
I could integrate Sparkle on the Mac version, code something for the Linux case (only for a standalone, user-owned binary; I won't mess with distribution packaging, if my program is ever packaged), and find someone to help me on the Windows side, but that's horribly painful.
It is not a complete solution, but a cross-platform (Windows, Mac, Linux) tool for creating packages for auto-updates and installing them is available at https://github.com/mendeley/Update-Installer. This tool does not deal with publishing updates or downloading them.
This was written for use with a Qt-based application but to make the update installer small, standalone and easy to build, the installer uses only standard system libraries (C++ runtime, pthreads/libz/libbz2 on Linux/Mac, Win32 API on Windows, Cocoa on Mac, GTK with fallback on Linux). This simplifies delivering updates which include new versions of Qt and other non-system libraries that your application may depend on.
Before considering this though, I would suggest:
If you are only building for two platforms, consider using standard and well-tested auto-update frameworks for those platforms - eg. Sparkle on Mac, Google's Omaha on Windows or auto-update systems built into popular install frameworks (eg. InstallShield). I haven't tried BitRock.
On Mac, the Mac App Store may be a good option. See https://bugreports.qt.io/browse/QTBUG-16549 though.
On Linux, consider creating a .deb package and a simple repository to host it. Once users have a repository set up, the system-wide software update tools will take care of checking for and installing new releases. The steps for setting up a new repository however are too complex for many new Ubuntu/Debian users. What we did, and also what Dropbox and Google have done, is to create a .deb package which sets up the repository as part of the package installation.
A few other notes on creating an updater:
On Windows Vista/7, if the application is installed system-wide (eg. in C:\Program Files\$APPNAME) your users will see a scary UAC prompt when the updater tries to obtain permissions to write to the install directory. This can be avoided either by installing to a user-writable directory (I gather that this is what Google Chrome does) or by obtaining an Authenticode certificate and using it to sign the updater binary.
On Windows Vista/7, an application .exe or DLL cannot be deleted if in use, but the updater can move the existing .exe/DLL out of the way into a temporary directory and schedule it for deletion on the next reboot.
On Ubuntu, 3rd-party repositories are disabled after distribution updates. Google works around this by creating a cron-job to re-add the repository if necessary.
Shameless plug: Fervor, a simple multiplatform (Qt-based) application autoupdater inspired by Sparkle.
Shameless plug: this a relatively old question, but I thought that it may be useful to mention a library that I created recently, which I named "QSimpleUpdater". Aside from notifying you if there's a newer version, it allows you to download the change log in any format (such as HTML or RTF) and download the updates directly from your application using a dialog.
As you may expect from a Qt project, it works on any platform supported by Qt (tested on Windows, Mac & Linux).
Links:
Website
GitHub repository
Screenshot:
Though it works a bit differently than Sparkle, BitRock InstallBuilder contains an autoupdater written in Qt that can be used independently (disclaimer, I am the original BitRock developer). It is a commercial app, but we have free licenses for open source projects.
I've developed an auto-updater library which works beautifully on Mac OS X, Linux and pretty much every Unix that allows you to unlink a file while the file is still open. The reason being that I simply extracted the downloaded package on top of the existing application. Unfortunately, because I relied on this functionality, I ran into problems on Windows as Windows does not let you unlink an open file.
The only alternative I could find is to use MoveFileEx with the replace on reboot flag, but that is awful.
However, renaming the working directory of the application works on Windows 7 and Windows XP. I haven't tried Windows Vista yet.
I have found WebUpdate to be quite useful, though it's written with the wxWidgets. But don't worry, it's a separate app which handles your updates. The steps to integrate it are pretty simple - just write two XML files and run the updater. And yes, it's cross-platform.
The advantage of it is it will automatically download and unzip/install all you required and not just provide a popup with a notification about a new version and a link to download it. Another thing you can do with it is customizable actions.
Project's main page is here, you can read the docs or take a look at the official tutorial.
The blog post Mixing Cocoa and Qt may solve the problem for the Mac platform.
You can use UpdateNode which gives you all the possibilities to update your software. It's using a cross platform Qt client and is free for Open Source!
UPDATE
Just did some further analysis on that and really like this solution:
Pros:
Free for Open Source!!! Even the client is Open Source: https://github.com/updatenode/unclient
The client is already localized in several languages
Very flexible in terms of updates. You can even update single non-binaries.
Provides additionally a way to display messages though the client.
Ready to use binaries & installer for all common Linux distributions, single Windows binary, as well as installer and a solution for Mac (which I have not tried, as I don't have a Mac)
Easy to use web service, nice statistics and update check is integrated within few minutes
Cons:
I am missing a multi-user management in the online service. Maybe they will do it in future - I will definitely suggest that in their feedback portal
The client is a GUI client only - so, you will need to shrink it down to run without a GUI frontend (maybe only necessary for people like me ;-) )
So, bottom line, as this solution is quite new, I think there is lot of potential here. I will definitely use it in my project and I am looking forward for more from them! Thumbs up!
This is an old question but there is not Squirrel in answers which is BEST SOLUTION , here is what I'm doing in qt 5.12.4 with qt quick "my qml app" you can do this in any other language
I'm doing this in windows there is mac version of squirrel too, I don't know about Linux
download nuget package explorer release
https://github.com/NuGetPackageExplorer/NuGetPackageExplorer/releases
open nuget package explorer and add this directory 'lib/net45' it doesn't matter you have a .net app or not, I did this for my qt application otherwise it won't work.
add all files into this folder specify your version in the metadata
save nupkg file
download squirrel release https://github.com/Squirrel/Squirrel.Windows/releases
add squirrel to windows environment path
open cmd and cd to directory of nupkg file
squirrel --releasify file_name.nupkg -> now inide releases folder, there should be setup.exe file which will install app and other files.
to create new version do 2,3,4,7,8 again if its an update it will create delta file which is only needed file to update, put this files into your service directory for example in updates folder of your website which you need to disable directory browsing in IIS , and to auto-update application you need to call Update.exe which is in parent folder of application root directory appdir/../update.exe --update http://yourserver.com/upates/ after application restart app should start with new version
you can find documentation for squirrel in https://github.com/Squirrel/Squirrel.Windows/blob/develop/docs/getting-started/0-overview.md and nuget package explorer here https://github.com/NuGetPackageExplorer/NuGetPackageExplorer and you can use only nuget.exe too if you don't want to use nuget package explorer which can be used for dynamic generation of versions, which can be download from https://www.nuget.org/downloads
That easy. Now you have auto-update app which will download updates from the server and auto-update app. For more info you can read documentations.
note: for iis uses https://github.com/Squirrel/OldSquirrelForWindows/issues/205
I suggest you read on plugin and how to create and use them. If your application architecture is modular and be split into different plugins. Take a look at Google Auto Update utility http://code.google.com/p/omaha/. We use this.
Thibault Cuvelier is writing a tutorial (in French) to develop an updater. I know the explanations are in French (and everyone is not understanding French), but I think this can be readable with a web translator like Google Translate. With this you will have a cross-platform updater, but you need to write it by yourself.
For what I know, the only part of the updater that is explained in the tutorial, is the file downloading part. In the case this can help you, refer to the tutorial, Un updater avec Qt.
I hope that helps.
OK, so I guess I take it as a "no (cross-platform) way". It's too bad!
I have found a solution that can be automated with built-in self-extracting patches and updates. for windows. I have started using their sdk. take a look at the massive documentation here, https://agersoftware.com/docs/ the sdk is called securesdk and comes with their app, SecureDelta sdk. does a great job on any kind of files, better results than lzma-included delta updaters

Resources