QSslSocket Class

The QSslSocket class provides an SSL encrypted socket for both clients and servers. More...

Header: #include <QSslSocket>
CMake: find_package(Qt6 REQUIRED COMPONENTS Network)
target_link_libraries(mytarget PRIVATE Qt6::Network)
qmake: QT += network
Inherits: QTcpSocket

Note: All functions in this class are reentrant.

Public Types

enum PeerVerifyMode { VerifyNone, QueryPeer, VerifyPeer, AutoVerifyPeer }
enum SslMode { UnencryptedMode, SslClientMode, SslServerMode }

Public Functions

QSslSocket(QObject *parent = nullptr)
virtual ~QSslSocket()
void connectToHostEncrypted(const QString &hostName, quint16 port, QIODeviceBase::OpenMode mode = ReadWrite, QAbstractSocket::NetworkLayerProtocol protocol = AnyIPProtocol)
void connectToHostEncrypted(const QString &hostName, quint16 port, const QString &sslPeerName, QIODeviceBase::OpenMode mode = ReadWrite, QAbstractSocket::NetworkLayerProtocol protocol = AnyIPProtocol)
(since 6.0) void continueInterruptedHandshake()
qint64 encryptedBytesAvailable() const
qint64 encryptedBytesToWrite() const
void ignoreSslErrors(const QList<QSslError> &errors)
bool isEncrypted() const
QSslCertificate localCertificate() const
QList<QSslCertificate> localCertificateChain() const
QSslSocket::SslMode mode() const
QList<QOcspResponse> ocspResponses() const
QSslCertificate peerCertificate() const
QList<QSslCertificate> peerCertificateChain() const
int peerVerifyDepth() const
QSslSocket::PeerVerifyMode peerVerifyMode() const
QString peerVerifyName() const
QSslKey privateKey() const
QSsl::SslProtocol protocol() const
QSslCipher sessionCipher() const
QSsl::SslProtocol sessionProtocol() const
void setLocalCertificate(const QSslCertificate &certificate)
void setLocalCertificate(const QString &path, QSsl::EncodingFormat format = QSsl::Pem)
void setLocalCertificateChain(const QList<QSslCertificate> &localChain)
void setPeerVerifyDepth(int depth)
void setPeerVerifyMode(QSslSocket::PeerVerifyMode mode)
void setPeerVerifyName(const QString &hostName)
void setPrivateKey(const QSslKey &key)
void setPrivateKey(const QString &fileName, QSsl::KeyAlgorithm algorithm = QSsl::Rsa, QSsl::EncodingFormat format = QSsl::Pem, const QByteArray &passPhrase = QByteArray())
void setProtocol(QSsl::SslProtocol protocol)
void setSslConfiguration(const QSslConfiguration &configuration)
QSslConfiguration sslConfiguration() const
QList<QSslError> sslHandshakeErrors() const
bool waitForEncrypted(int msecs = 30000)

Reimplemented Public Functions

virtual bool atEnd() const override
virtual qint64 bytesAvailable() const override
virtual qint64 bytesToWrite() const override
virtual bool canReadLine() const override
virtual void close() override
virtual void resume() override
virtual void setReadBufferSize(qint64 size) override
virtual bool setSocketDescriptor(qintptr socketDescriptor, QAbstractSocket::SocketState state = ConnectedState, QIODeviceBase::OpenMode openMode = ReadWrite) override
virtual void setSocketOption(QAbstractSocket::SocketOption option, const QVariant &value) override
virtual QVariant socketOption(QAbstractSocket::SocketOption option) override
virtual bool waitForBytesWritten(int msecs = 30000) override
virtual bool waitForConnected(int msecs = 30000) override
virtual bool waitForDisconnected(int msecs = 30000) override
virtual bool waitForReadyRead(int msecs = 30000) override

Public Slots

Signals

void alertReceived(QSsl::AlertLevel level, QSsl::AlertType type, const QString &description)
void alertSent(QSsl::AlertLevel level, QSsl::AlertType type, const QString &description)
void encrypted()
void encryptedBytesWritten(qint64 written)
void handshakeInterruptedOnError(const QSslError &error)
void modeChanged(QSslSocket::SslMode mode)
void newSessionTicketReceived()
void peerVerifyError(const QSslError &error)
void preSharedKeyAuthenticationRequired(QSslPreSharedKeyAuthenticator *authenticator)
void sslErrors(const QList<QSslError> &errors)

Static Public Members

(since 6.1) QString activeBackend()
(since 6.1) QList<QString> availableBackends()
(since 6.1) QList<QSsl::ImplementedClass> implementedClasses(const QString &backendName = {})
(since 6.1) bool isClassImplemented(QSsl::ImplementedClass cl, const QString &backendName = {})
(since 6.1) bool isFeatureSupported(QSsl::SupportedFeature ft, const QString &backendName = {})
(since 6.1) bool isProtocolSupported(QSsl::SslProtocol protocol, const QString &backendName = {})
(since 6.1) bool setActiveBackend(const QString &backendName)
long sslLibraryBuildVersionNumber()
QString sslLibraryBuildVersionString()
long sslLibraryVersionNumber()
QString sslLibraryVersionString()
(since 6.1) QList<QSsl::SupportedFeature> supportedFeatures(const QString &backendName = {})
(since 6.1) QList<QSsl::SslProtocol> supportedProtocols(const QString &backendName = {})
bool supportsSsl()

Reimplemented Protected Functions

virtual qint64 readData(char *data, qint64 maxlen) override
virtual qint64 skipData(qint64 maxSize) override
virtual qint64 writeData(const char *data, qint64 len) override
(since 6.0) enum class AlertLevel { Warning, Fatal, Unknown }
(since 6.0) enum class AlertType { CloseNotify, UnexpectedMessage, BadRecordMac, RecordOverflow, DecompressionFailure, …, UnknownAlertMessage }
(since 6.1) enum class ImplementedClass { Key, Certificate, Socket, DiffieHellman, EllipticCurve, …, DtlsCookie }
(since 6.1) enum class SupportedFeature { CertificateVerification, ClientSideAlpn, ServerSideAlpn, Ocsp, Psk, …, Alerts }

Detailed Description

QSslSocket establishes a secure, encrypted TCP connection you can use for transmitting encrypted data. It can operate in both client and server mode, and it supports modern TLS protocols, including TLS 1.3. By default, QSslSocket uses only TLS protocols which are considered to be secure (QSsl::SecureProtocols), but you can change the TLS protocol by calling setProtocol() as long as you do it before the handshake has started.

SSL encryption operates on top of the existing TCP stream after the socket enters the ConnectedState. There are two simple ways to establish a secure connection using QSslSocket: With an immediate SSL handshake, or with a delayed SSL handshake occurring after the connection has been established in unencrypted mode.

The most common way to use QSslSocket is to construct an object and start a secure connection by calling connectToHostEncrypted(). This method starts an immediate SSL handshake once the connection has been established.

 QSslSocket *socket = new QSslSocket(this);
 connect(socket, &QSslSocket::encrypted, this, &Receiver::ready);

 socket->connectToHostEncrypted("imap.example.com", 993);

As with a plain QTcpSocket, QSslSocket enters the HostLookupState, ConnectingState, and finally the ConnectedState, if the connection is successful. The handshake then starts automatically, and if it succeeds, the encrypted() signal is emitted to indicate the socket has entered the encrypted state and is ready for use.

Note that data can be written to the socket immediately after the return from connectToHostEncrypted() (i.e., before the encrypted() signal is emitted). The data is queued in QSslSocket until after the encrypted() signal is emitted.

An example of using the delayed SSL handshake to secure an existing connection is the case where an SSL server secures an incoming connection. Suppose you create an SSL server class as a subclass of QTcpServer. You would override QTcpServer::incomingConnection() with something like the example below, which first constructs an instance of QSslSocket and then calls setSocketDescriptor() to set the new socket's descriptor to the existing one passed in. It then initiates the SSL handshake by calling startServerEncryption().

 void SslServer::incomingConnection(qintptr socketDescriptor)
 {
     QSslSocket *serverSocket = new QSslSocket;
     if (serverSocket->setSocketDescriptor(socketDescriptor)) {
         addPendingConnection(serverSocket);
         connect(serverSocket, &QSslSocket::encrypted, this, &SslServer::ready);
         serverSocket->startServerEncryption();
     } else {
         delete serverSocket;
     }
 }

If an error occurs, QSslSocket emits the sslErrors() signal. In this case, if no action is taken to ignore the error(s), the connection is dropped. To continue, despite the occurrence of an error, you can call ignoreSslErrors(), either from within this slot after the error occurs, or any time after construction of the QSslSocket and before the connection is attempted. This will allow QSslSocket to ignore the errors it encounters when establishing the identity of the peer. Ignoring errors during an SSL handshake should be used with caution, since a fundamental characteristic of secure connections is that they should be established with a successful handshake.

Once encrypted, you use QSslSocket as a regular QTcpSocket. When readyRead() is emitted, you can call read(), canReadLine() and readLine(), or getChar() to read decrypted data from QSslSocket's internal buffer, and you can call write() or putChar() to write data back to the peer. QSslSocket will automatically encrypt the written data for you, and emit encryptedBytesWritten() once the data has been written to the peer.

As a convenience, QSslSocket supports QTcpSocket's blocking functions waitForConnected(), waitForReadyRead(), waitForBytesWritten(), and waitForDisconnected(). It also provides waitForEncrypted(), which will block the calling thread until an encrypted connection has been established.

 QSslSocket socket;
 socket.connectToHostEncrypted("http.example.com", 443);
 if (!socket.waitForEncrypted()) {
     qDebug() << socket.errorString();
     return false;
 }

 socket.write("GET / HTTP/1.0\r\n\r\n");
 while (socket.waitForReadyRead())
     qDebug() << socket.readAll().data();

QSslSocket provides an extensive, easy-to-use API for handling cryptographic ciphers, private keys, and local, peer, and Certification Authority (CA) certificates. It also provides an API for handling errors that occur during the handshake phase.

The following features can also be customized:

To extend the list of default CA certificates used by the SSL sockets during the SSL handshake you must update the default configuration, as in the snippet below:

 QList<QSslCertificate> certificates = getCertificates();
 QSslConfiguration configuration = QSslConfiguration::defaultConfiguration();
 configuration.addCaCertificates(certificates);
 QSslConfiguration::setDefaultConfiguration(configuration);

Note: If available, root certificates on Unix (excluding macOS) will be loaded on demand from the standard certificate directories. If you do not want to load root certificates on demand, you need to call either QSslConfiguration::defaultConfiguration().setCaCertificates() before the first SSL handshake is made in your application (for example, via passing QSslSocket::systemCaCertificates() to it), or call QSslConfiguration::defaultConfiguration()::setCaCertificates() on your QSslSocket instance prior to the SSL handshake.

For more information about ciphers and certificates, refer to QSslCipher and QSslCertificate.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

Note: Be aware of the difference between the bytesWritten() signal and the encryptedBytesWritten() signal. For a QTcpSocket, bytesWritten() will get emitted as soon as data has been written to the TCP socket. For a QSslSocket, bytesWritten() will get emitted when the data is being encrypted and encryptedBytesWritten() will get emitted as soon as data has been written to the TCP socket.

See also QSslCertificate, QSslCipher, and QSslError.

Member Type Documentation

enum QSslSocket::PeerVerifyMode

Describes the peer verification modes for QSslSocket. The default mode is AutoVerifyPeer, which selects an appropriate mode depending on the socket's QSocket::SslMode.

ConstantValueDescription
QSslSocket::VerifyNone0QSslSocket will not request a certificate from the peer. You can set this mode if you are not interested in the identity of the other side of the connection. The connection will still be encrypted, and your socket will still send its local certificate to the peer if it's requested.
QSslSocket::QueryPeer1QSslSocket will request a certificate from the peer, but does not require this certificate to be valid. This is useful when you want to display peer certificate details to the user without affecting the actual SSL handshake. This mode is the default for servers. Note: In Schannel this value acts the same as VerifyNone.
QSslSocket::VerifyPeer2QSslSocket will request a certificate from the peer during the SSL handshake phase, and requires that this certificate is valid. On failure, QSslSocket will emit the QSslSocket::sslErrors() signal. This mode is the default for clients.
QSslSocket::AutoVerifyPeer3QSslSocket will automatically use QueryPeer for server sockets and VerifyPeer for client sockets.

See also QSslSocket::peerVerifyMode().

enum QSslSocket::SslMode

Describes the connection modes available for QSslSocket.

ConstantValueDescription
QSslSocket::UnencryptedMode0The socket is unencrypted. Its behavior is identical to QTcpSocket.
QSslSocket::SslClientMode1The socket is a client-side SSL socket. It is either already encrypted, or it is in the SSL handshake phase (see QSslSocket::isEncrypted()).
QSslSocket::SslServerMode2The socket is a server-side SSL socket. It is either already encrypted, or it is in the SSL handshake phase (see QSslSocket::isEncrypted()).

Member Function Documentation

[explicit] QSslSocket::QSslSocket(QObject *parent = nullptr)

Constructs a QSslSocket object. parent is passed to QObject's constructor. The new socket's cipher suite is set to the one returned by the static method defaultCiphers().

[virtual noexcept] QSslSocket::~QSslSocket()

Destroys the QSslSocket.

[static, since 6.1] QString QSslSocket::activeBackend()

Returns the name of the backend that QSslSocket and related classes use. If the active backend was not set explicitly, this function returns the name of a default backend that QSslSocket selects implicitly from the list of available backends.

Note: When selecting a default backend implicitly, QSslSocket prefers the OpenSSL backend if available. If it's not available, the Schannel backend is implicitly selected on Windows, and Secure Transport on Darwin platforms. Failing these, if a custom TLS backend is found, it is used. If no other backend is found, the "certificate only" backend is selected. For more information about TLS plugins, please see Enabling and Disabling SSL Support when Building Qt from Source.

This function was introduced in Qt 6.1.

See also setActiveBackend() and availableBackends().

[signal] void QSslSocket::alertReceived(QSsl::AlertLevel level, QSsl::AlertType type, const QString &description)

QSslSocket emits this signal if an alert message was received from a peer. level tells if the alert was fatal or it was a warning. type is the code explaining why the alert was sent. When a textual description of the alert message is available, it is supplied in description.

Note: The signal is mostly for informational and debugging purposes and does not require any handling in the application. If the alert was fatal, underlying backend will handle it and close the connection.

Note: Not all backends support this functionality.

See also alertSent(), QSsl::AlertLevel, and QSsl::AlertType.

[signal] void QSslSocket::alertSent(QSsl::AlertLevel level, QSsl::AlertType type, const QString &description)

QSslSocket emits this signal if an alert message was sent to a peer. level describes if it was a warning or a fatal error. type gives the code of the alert message. When a textual description of the alert message is available, it is supplied in description.

Note: This signal is mostly informational and can be used for debugging purposes, normally it does not require any actions from the application.

Note: Not all backends support this functionality.

See also alertReceived(), QSsl::AlertLevel, and QSsl::AlertType.

[override virtual] bool QSslSocket::atEnd() const

Reimplements: QIODevice::atEnd() const.

[static, since 6.1] QList<QString> QSslSocket::availableBackends()

Returns the names of the currently available backends. These names are in lower case, e.g. "openssl", "securetransport", "schannel" (similar to the already existing feature names for TLS backends in Qt).

This function was introduced in Qt 6.1.

See also activeBackend().

[override virtual] qint64 QSslSocket::bytesAvailable() const

Reimplements: QAbstractSocket::bytesAvailable() const.

Returns the number of decrypted bytes that are immediately available for reading.

[override virtual] qint64 QSslSocket::bytesToWrite() const

Reimplements: QAbstractSocket::bytesToWrite() const.

Returns the number of unencrypted bytes that are waiting to be encrypted and written to the network.

[override virtual] bool QSslSocket::canReadLine() const

Reimplements: QIODevice::canReadLine() const.

Returns true if you can read one while line (terminated by a single ASCII '\n' character) of decrypted characters; otherwise, false is returned.

[override virtual] void QSslSocket::close()

Reimplements: QAbstractSocket::close().

void QSslSocket::connectToHostEncrypted(const QString &hostName, quint16 port, QIODeviceBase::OpenMode mode = ReadWrite, QAbstractSocket::NetworkLayerProtocol protocol = AnyIPProtocol)

Starts an encrypted connection to the device hostName on port, using mode as the OpenMode. This is equivalent to calling connectToHost() to establish the connection, followed by a call to startClientEncryption(). The protocol parameter can be used to specify which network protocol to use (eg. IPv4 or IPv6).

QSslSocket first enters the HostLookupState. Then, after entering either the event loop or one of the waitFor...() functions, it enters the ConnectingState, emits connected(), and then initiates the SSL client handshake. At each state change, QSslSocket emits signal stateChanged().

After initiating the SSL client handshake, if the identity of the peer can't be established, signal sslErrors() is emitted. If you want to ignore the errors and continue connecting, you must call ignoreSslErrors(), either from inside a slot function connected to the sslErrors() signal, or prior to entering encrypted mode. If ignoreSslErrors() is not called, the connection is dropped, signal disconnected() is emitted, and QSslSocket returns to the UnconnectedState.

If the SSL handshake is successful, QSslSocket emits encrypted().

 QSslSocket socket;
 connect(&socket, &QSslSocket::encrypted, receiver, &Receiver::socketEncrypted);

 socket.connectToHostEncrypted("imap", 993);
 socket->write("1 CAPABILITY\r\n");

Note: The example above shows that text can be written to the socket immediately after requesting the encrypted connection, before the encrypted() signal has been emitted. In such cases, the text is queued in the object and written to the socket after the connection is established and the encrypted() signal has been emitted.

The default for mode is ReadWrite.

If you want to create a QSslSocket on the server side of a connection, you should instead call startServerEncryption() upon receiving the incoming connection through QTcpServer.

See also connectToHost(), startClientEncryption(), waitForConnected(), and waitForEncrypted().

void QSslSocket::connectToHostEncrypted(const QString &hostName, quint16 port, const QString &sslPeerName, QIODeviceBase::OpenMode mode = ReadWrite, QAbstractSocket::NetworkLayerProtocol protocol = AnyIPProtocol)

This is an overloaded function.

In addition to the original behaviour of connectToHostEncrypted, this overloaded method enables the usage of a different hostname (sslPeerName) for the certificate validation instead of the one used for the TCP connection (hostName).

See also connectToHostEncrypted().

[since 6.0] void QSslSocket::continueInterruptedHandshake()

If an application wants to conclude a handshake even after receiving handshakeInterruptedOnError() signal, it must call this function. This call must be done from a slot function attached to the signal. The signal-slot connection must be direct.

This function was introduced in Qt 6.0.

See also handshakeInterruptedOnError() and QSslConfiguration::setHandshakeMustInterruptOnError().

[signal] void QSslSocket::encrypted()

This signal is emitted when QSslSocket enters encrypted mode. After this signal has been emitted, QSslSocket::isEncrypted() will return true, and all further transmissions on the socket will be encrypted.

See also QSslSocket::connectToHostEncrypted() and QSslSocket::isEncrypted().

qint64 QSslSocket::encryptedBytesAvailable() const

Returns the number of encrypted bytes that are awaiting decryption. Normally, this function will return 0 because QSslSocket decrypts its incoming data as soon as it can.

qint64 QSslSocket::encryptedBytesToWrite() const

Returns the number of encrypted bytes that are waiting to be written to the network.

[signal] void QSslSocket::encryptedBytesWritten(qint64 written)

This signal is emitted when QSslSocket writes its encrypted data to the network. The written parameter contains the number of bytes that were successfully written.

See also QIODevice::bytesWritten().

[signal] void QSslSocket::handshakeInterruptedOnError(const QSslError &error)

QSslSocket emits this signal if a certificate verification error was found and if early error reporting was enabled in QSslConfiguration. An application is expected to inspect the error and decide if it wants to continue the handshake, or abort it and send an alert message to the peer. The signal-slot connection must be direct.

See also continueInterruptedHandshake(), sslErrors(), and QSslConfiguration::setHandshakeMustInterruptOnError().

[slot] void QSslSocket::ignoreSslErrors()

This slot tells QSslSocket to ignore errors during QSslSocket's handshake phase and continue connecting. If you want to continue with the connection even if errors occur during the handshake phase, then you must call this slot, either from a slot connected to sslErrors(), or before the handshake phase. If you don't call this slot, either in response to errors or before the handshake, the connection will be dropped after the sslErrors() signal has been emitted.

If there are no errors during the SSL handshake phase (i.e., the identity of the peer is established with no problems), QSslSocket will not emit the sslErrors() signal, and it is unnecessary to call this function.

Warning: Be sure to always let the user inspect the errors reported by the sslErrors() signal, and only call this method upon confirmation from the user that proceeding is ok. If there are unexpected errors, the connection should be aborted. Calling this method without inspecting the actual errors will most likely pose a security risk for your application. Use it with great care!

See also sslErrors().

void QSslSocket::ignoreSslErrors(const QList<QSslError> &errors)

This is an overloaded function.

This method tells QSslSocket to ignore only the errors given in errors.

Note: Because most SSL errors are associated with a certificate, for most of them you must set the expected certificate this SSL error is related to. If, for instance, you want to connect to a server that uses a self-signed certificate, consider the following snippet:

 QList<QSslCertificate> cert = QSslCertificate::fromPath("server-certificate.pem"_L1);
 QSslError error(QSslError::SelfSignedCertificate, cert.at(0));
 QList<QSslError> expectedSslErrors;
 expectedSslErrors.append(error);

 QSslSocket socket;
 socket.ignoreSslErrors(expectedSslErrors);
 socket.connectToHostEncrypted("server.tld", 443);

Multiple calls to this function will replace the list of errors that were passed in previous calls. You can clear the list of errors you want to ignore by calling this function with an empty list.

See also sslErrors() and sslHandshakeErrors().

[static, since 6.1] QList<QSsl::ImplementedClass> QSslSocket::implementedClasses(const QString &backendName = {})

This function returns backend-specific classes implemented by the backend named backendName. An empty backendName is understood as a query about the currently active backend.

This function was introduced in Qt 6.1.

See also QSsl::ImplementedClass, activeBackend(), and isClassImplemented().

[static, since 6.1] bool QSslSocket::isClassImplemented(QSsl::ImplementedClass cl, const QString &backendName = {})

Returns true if a class cl is implemented by the backend named backendName. An empty backendName is understood as a query about the currently active backend.

This function was introduced in Qt 6.1.

See also implementedClasses().

bool QSslSocket::isEncrypted() const

Returns true if the socket is encrypted; otherwise, false is returned.

An encrypted socket encrypts all data that is written by calling write() or putChar() before the data is written to the network, and decrypts all incoming data as the data is received from the network, before you call read(), readLine() or getChar().

QSslSocket emits encrypted() when it enters encrypted mode.

You can call sessionCipher() to find which cryptographic cipher is used to encrypt and decrypt your data.

See also mode().

[static, since 6.1] bool QSslSocket::isFeatureSupported(QSsl::SupportedFeature ft, const QString &backendName = {})

Returns true if a feature ft is supported by a backend named backendName. An empty backendName is understood as a query about the currently active backend.

This function was introduced in Qt 6.1.

See also QSsl::SupportedFeature and supportedFeatures().

[static, since 6.1] bool QSslSocket::isProtocolSupported(QSsl::SslProtocol protocol, const QString &backendName = {})

Returns true if protocol is supported by a backend named backendName. An empty backendName is understood as a query about the currently active backend.

This function was introduced in Qt 6.1.

See also supportedProtocols().

QSslCertificate QSslSocket::localCertificate() const

Returns the socket's local certificate, or an empty certificate if no local certificate has been assigned.

See also setLocalCertificate() and privateKey().

QList<QSslCertificate> QSslSocket::localCertificateChain() const

Returns the socket's local certificate chain, or an empty list if no local certificates have been assigned.

See also setLocalCertificateChain().

QSslSocket::SslMode QSslSocket::mode() const

Returns the current mode for the socket; either UnencryptedMode, where QSslSocket behaves identially to QTcpSocket, or one of SslClientMode or SslServerMode, where the client is either negotiating or in encrypted mode.

When the mode changes, QSslSocket emits modeChanged()

See also SslMode.

[signal] void QSslSocket::modeChanged(QSslSocket::SslMode mode)

This signal is emitted when QSslSocket changes from QSslSocket::UnencryptedMode to either QSslSocket::SslClientMode or QSslSocket::SslServerMode. mode is the new mode.

See also QSslSocket::mode().

[signal] void QSslSocket::newSessionTicketReceived()

If TLS 1.3 protocol was negotiated during a handshake, QSslSocket emits this signal after receiving NewSessionTicket message. Session and session ticket's lifetime hint are updated in the socket's configuration. The session can be used for session resumption (and a shortened handshake) in future TLS connections.

Note: This functionality enabled only with OpenSSL backend and requires OpenSSL v 1.1.1 or above.

See also QSslSocket::sslConfiguration(), QSslConfiguration::sessionTicket(), and QSslConfiguration::sessionTicketLifeTimeHint().

QList<QOcspResponse> QSslSocket::ocspResponses() const

This function returns Online Certificate Status Protocol responses that a server may send during a TLS handshake using OCSP stapling. The list is empty if no definitive response or no response at all was received.

See also QSslConfiguration::setOcspStaplingEnabled().

QSslCertificate QSslSocket::peerCertificate() const

Returns the peer's digital certificate (i.e., the immediate certificate of the host you are connected to), or a null certificate, if the peer has not assigned a certificate.

The peer certificate is checked automatically during the handshake phase, so this function is normally used to fetch the certificate for display or for connection diagnostic purposes. It contains information about the peer, including its host name, the certificate issuer, and the peer's public key.

Because the peer certificate is set during the handshake phase, it is safe to access the peer certificate from a slot connected to the sslErrors() signal or the encrypted() signal.

If a null certificate is returned, it can mean the SSL handshake failed, or it can mean the host you are connected to doesn't have a certificate, or it can mean there is no connection.

If you want to check the peer's complete chain of certificates, use peerCertificateChain() to get them all at once.

See also peerCertificateChain().

QList<QSslCertificate> QSslSocket::peerCertificateChain() const

Returns the peer's chain of digital certificates, or an empty list of certificates.

Peer certificates are checked automatically during the handshake phase. This function is normally used to fetch certificates for display, or for performing connection diagnostics. Certificates contain information about the peer and the certificate issuers, including host name, issuer names, and issuer public keys.

The peer certificates are set in QSslSocket during the handshake phase, so it is safe to call this function from a slot connected to the sslErrors() signal or the encrypted() signal.

If an empty list is returned, it can mean the SSL handshake failed, or it can mean the host you are connected to doesn't have a certificate, or it can mean there is no connection.

If you want to get only the peer's immediate certificate, use peerCertificate().

See also peerCertificate().

int QSslSocket::peerVerifyDepth() const

Returns the maximum number of certificates in the peer's certificate chain to be checked during the SSL handshake phase, or 0 (the default) if no maximum depth has been set, indicating that the whole certificate chain should be checked.

The certificates are checked in issuing order, starting with the peer's own certificate, then its issuer's certificate, and so on.

See also setPeerVerifyDepth() and peerVerifyMode().

[signal] void QSslSocket::peerVerifyError(const QSslError &error)

QSslSocket can emit this signal several times during the SSL handshake, before encryption has been established, to indicate that an error has occurred while establishing the identity of the peer. The error is usually an indication that QSslSocket is unable to securely identify the peer.

This signal provides you with an early indication when something's wrong. By connecting to this signal, you can manually choose to tear down the connection from inside the connected slot before the handshake has completed. If no action is taken, QSslSocket will proceed to emitting QSslSocket::sslErrors().

See also sslErrors().

QSslSocket::PeerVerifyMode QSslSocket::peerVerifyMode() const

Returns the socket's verify mode. This mode decides whether QSslSocket should request a certificate from the peer (i.e., the client requests a certificate from the server, or a server requesting a certificate from the client), and whether it should require that this certificate is valid.

The default mode is AutoVerifyPeer, which tells QSslSocket to use VerifyPeer for clients and QueryPeer for servers.

See also setPeerVerifyMode(), peerVerifyDepth(), and mode().

QString QSslSocket::peerVerifyName() const

Returns the different hostname for the certificate validation, as set by setPeerVerifyName or by connectToHostEncrypted.

See also setPeerVerifyName() and connectToHostEncrypted().

[signal] void QSslSocket::preSharedKeyAuthenticationRequired(QSslPreSharedKeyAuthenticator *authenticator)

QSslSocket emits this signal when it negotiates a PSK ciphersuite, and therefore a PSK authentication is then required.

When using PSK, the client must send to the server a valid identity and a valid pre shared key, in order for the SSL handshake to continue. Applications can provide this information in a slot connected to this signal, by filling in the passed authenticator object according to their needs.

Note: Ignoring this signal, or failing to provide the required credentials, will cause the handshake to fail, and therefore the connection to be aborted.

Note: The authenticator object is owned by the socket and must not be deleted by the application.

See also QSslPreSharedKeyAuthenticator.

QSslKey QSslSocket::privateKey() const

Returns this socket's private key.

See also setPrivateKey() and localCertificate().

QSsl::SslProtocol QSslSocket::protocol() const

Returns the socket's SSL protocol. By default, QSsl::SecureProtocols is used.

See also setProtocol().

[override virtual protected] qint64 QSslSocket::readData(char *data, qint64 maxlen)

Reimplements: QAbstractSocket::readData(char *data, qint64 maxSize).

[override virtual] void QSslSocket::resume()

Reimplements: QAbstractSocket::resume().

Continues data transfer on the socket after it has been paused. If "setPauseMode(QAbstractSocket::PauseOnSslErrors);" has been called on this socket and a sslErrors() signal is received, calling this method is necessary for the socket to continue.

See also QAbstractSocket::pauseMode() and QAbstractSocket::setPauseMode().

QSslCipher QSslSocket::sessionCipher() const

Returns the socket's cryptographic cipher, or a null cipher if the connection isn't encrypted. The socket's cipher for the session is set during the handshake phase. The cipher is used to encrypt and decrypt data transmitted through the socket.

QSslSocket also provides functions for setting the ordered list of ciphers from which the handshake phase will eventually select the session cipher. This ordered list must be in place before the handshake phase begins.

See also QSslConfiguration::ciphers(), QSslConfiguration::setCiphers(), QSslConfiguration::setCiphers(), QSslConfiguration::ciphers(), and QSslConfiguration::supportedCiphers().

QSsl::SslProtocol QSslSocket::sessionProtocol() const

Returns the socket's SSL/TLS protocol or UnknownProtocol if the connection isn't encrypted. The socket's protocol for the session is set during the handshake phase.

See also protocol() and setProtocol().

[static, since 6.1] bool QSslSocket::setActiveBackend(const QString &backendName)

Returns true if a backend with name backendName was set as active backend. backendName must be one of names returned by availableBackends().

Note: An application cannot mix different backends simultaneously. This implies that a non-default backend must be selected prior to any use of QSslSocket or related classes, e.g. QSslCertificate or QSslKey.

This function was introduced in Qt 6.1.

See also activeBackend() and availableBackends().

void QSslSocket::setLocalCertificate(const QSslCertificate &certificate)

Sets the socket's local certificate to certificate. The local certificate is necessary if you need to confirm your identity to the peer. It is used together with the private key; if you set the local certificate, you must also set the private key.

The local certificate and private key are always necessary for server sockets, but are also rarely used by client sockets if the server requires the client to authenticate.

Note: Secure Transport SSL backend on macOS may update the default keychain (the default is probably your login keychain) by importing your local certificates and keys. This can also result in system dialogs showing up and asking for permission when your application is using these private keys. If such behavior is undesired, set the QT_SSL_USE_TEMPORARY_KEYCHAIN environment variable to a non-zero value; this will prompt QSslSocket to use its own temporary keychain.

See also localCertificate() and setPrivateKey().

void QSslSocket::setLocalCertificate(const QString &path, QSsl::EncodingFormat format = QSsl::Pem)

This is an overloaded function.

Sets the socket's local certificate to the first one found in file path, which is parsed according to the specified format.

void QSslSocket::setLocalCertificateChain(const QList<QSslCertificate> &localChain)

Sets the certificate chain to be presented to the peer during the SSL handshake to be localChain.

See also localCertificateChain() and QSslConfiguration::setLocalCertificateChain().

void QSslSocket::setPeerVerifyDepth(int depth)

Sets the maximum number of certificates in the peer's certificate chain to be checked during the SSL handshake phase, to depth. Setting a depth of 0 means that no maximum depth is set, indicating that the whole certificate chain should be checked.

The certificates are checked in issuing order, starting with the peer's own certificate, then its issuer's certificate, and so on.

See also peerVerifyDepth() and setPeerVerifyMode().

void QSslSocket::setPeerVerifyMode(QSslSocket::PeerVerifyMode mode)

Sets the socket's verify mode to mode. This mode decides whether QSslSocket should request a certificate from the peer (i.e., the client requests a certificate from the server, or a server requesting a certificate from the client), and whether it should require that this certificate is valid.

The default mode is AutoVerifyPeer, which tells QSslSocket to use VerifyPeer for clients and QueryPeer for servers.

Setting this mode after encryption has started has no effect on the current connection.

See also peerVerifyMode(), setPeerVerifyDepth(), and mode().

void QSslSocket::setPeerVerifyName(const QString &hostName)

Sets a different host name, given by hostName, for the certificate validation instead of the one used for the TCP connection.

See also peerVerifyName() and connectToHostEncrypted().

void QSslSocket::setPrivateKey(const QSslKey &key)

Sets the socket's private key to key. The private key and the local certificate are used by clients and servers that must prove their identity to SSL peers.

Both the key and the local certificate are required if you are creating an SSL server socket. If you are creating an SSL client socket, the key and local certificate are required if your client must identify itself to an SSL server.

See also privateKey() and setLocalCertificate().

void QSslSocket::setPrivateKey(const QString &fileName, QSsl::KeyAlgorithm algorithm = QSsl::Rsa, QSsl::EncodingFormat format = QSsl::Pem, const QByteArray &passPhrase = QByteArray())

This is an overloaded function.

Reads the string in file fileName and decodes it using a specified algorithm and encoding format to construct an SSL key. If the encoded key is encrypted, passPhrase is used to decrypt it.

The socket's private key is set to the constructed key. The private key and the local certificate are used by clients and servers that must prove their identity to SSL peers.

Both the key and the local certificate are required if you are creating an SSL server socket. If you are creating an SSL client socket, the key and local certificate are required if your client must identify itself to an SSL server.

See also privateKey() and setLocalCertificate().

void QSslSocket::setProtocol(QSsl::SslProtocol protocol)

Sets the socket's SSL protocol to protocol. This will affect the next initiated handshake; calling this function on an already-encrypted socket will not affect the socket's protocol.

See also protocol().

[override virtual] void QSslSocket::setReadBufferSize(qint64 size)

Reimplements: QAbstractSocket::setReadBufferSize(qint64 size).

Sets the size of QSslSocket's internal read buffer to be size bytes.

[override virtual] bool QSslSocket::setSocketDescriptor(qintptr socketDescriptor, QAbstractSocket::SocketState state = ConnectedState, QIODeviceBase::OpenMode openMode = ReadWrite)

Reimplements: QAbstractSocket::setSocketDescriptor(qintptr socketDescriptor, QAbstractSocket::SocketState socketState, QIODeviceBase::OpenMode openMode).

Initializes QSslSocket with the native socket descriptor socketDescriptor. Returns true if socketDescriptor is accepted as a valid socket descriptor; otherwise returns false. The socket is opened in the mode specified by openMode, and enters the socket state specified by state.

Note: It is not possible to initialize two sockets with the same native socket descriptor.

See also socketDescriptor().

[override virtual] void QSslSocket::setSocketOption(QAbstractSocket::SocketOption option, const QVariant &value)

Reimplements: QAbstractSocket::setSocketOption(QAbstractSocket::SocketOption option, const QVariant &value).

Sets the given option to the value described by value.

See also socketOption().

void QSslSocket::setSslConfiguration(const QSslConfiguration &configuration)

Sets the socket's SSL configuration to be the contents of configuration. This function sets the local certificate, the ciphers, the private key and the CA certificates to those stored in configuration.

It is not possible to set the SSL-state related fields.

See also sslConfiguration(), setLocalCertificate(), setPrivateKey(), QSslConfiguration::setCaCertificates(), and QSslConfiguration::setCiphers().

[override virtual protected] qint64 QSslSocket::skipData(qint64 maxSize)

Reimplements: QAbstractSocket::skipData(qint64 maxSize).

[override virtual] QVariant QSslSocket::socketOption(QAbstractSocket::SocketOption option)

Reimplements: QAbstractSocket::socketOption(QAbstractSocket::SocketOption option).

Returns the value of the option option.

See also setSocketOption().

QSslConfiguration QSslSocket::sslConfiguration() const

Returns the socket's SSL configuration state. The default SSL configuration of a socket is to use the default ciphers, default CA certificates, no local private key or certificate.

The SSL configuration also contains fields that can change with time without notice.

See also setSslConfiguration(), localCertificate(), peerCertificate(), peerCertificateChain(), sessionCipher(), privateKey(), QSslConfiguration::ciphers(), and QSslConfiguration::caCertificates().

[signal] void QSslSocket::sslErrors(const QList<QSslError> &errors)

QSslSocket emits this signal after the SSL handshake to indicate that one or more errors have occurred while establishing the identity of the peer. The errors are usually an indication that QSslSocket is unable to securely identify the peer. Unless any action is taken, the connection will be dropped after this signal has been emitted.

If you want to continue connecting despite the errors that have occurred, you must call QSslSocket::ignoreSslErrors() from inside a slot connected to this signal. If you need to access the error list at a later point, you can call sslHandshakeErrors().

errors contains one or more errors that prevent QSslSocket from verifying the identity of the peer.

Note: You cannot use Qt::QueuedConnection when connecting to this signal, or calling QSslSocket::ignoreSslErrors() will have no effect.

See also peerVerifyError().

QList<QSslError> QSslSocket::sslHandshakeErrors() const

Returns a list of the last SSL errors that occurred. This is the same list as QSslSocket passes via the sslErrors() signal. If the connection has been encrypted with no errors, this function will return an empty list.

See also connectToHostEncrypted().

[static] long QSslSocket::sslLibraryBuildVersionNumber()

Returns the version number of the SSL library in use at compile time. If no SSL support is available then this will return -1.

See also sslLibraryVersionNumber().

[static] QString QSslSocket::sslLibraryBuildVersionString()

Returns the version string of the SSL library in use at compile time. If no SSL support is available then this will return an empty value.

See also sslLibraryVersionString().

[static] long QSslSocket::sslLibraryVersionNumber()

Returns the version number of the SSL library in use. Note that this is the version of the library in use at run-time not compile time. If no SSL support is available then this will return -1.

[static] QString QSslSocket::sslLibraryVersionString()

Returns the version string of the SSL library in use. Note that this is the version of the library in use at run-time not compile time. If no SSL support is available then this will return an empty value.

[slot] void QSslSocket::startClientEncryption()

Starts a delayed SSL handshake for a client connection. This function can be called when the socket is in the ConnectedState but still in the UnencryptedMode. If it is not yet connected, or if it is already encrypted, this function has no effect.

Clients that implement STARTTLS functionality often make use of delayed SSL handshakes. Most other clients can avoid calling this function directly by using connectToHostEncrypted() instead, which automatically performs the handshake.

See also connectToHostEncrypted() and startServerEncryption().

[slot] void QSslSocket::startServerEncryption()

Starts a delayed SSL handshake for a server connection. This function can be called when the socket is in the ConnectedState but still in UnencryptedMode. If it is not connected or it is already encrypted, the function has no effect.

For server sockets, calling this function is the only way to initiate the SSL handshake. Most servers will call this function immediately upon receiving a connection, or as a result of having received a protocol-specific command to enter SSL mode (e.g, the server may respond to receiving the string "STARTTLS\r\n" by calling this function).

The most common way to implement an SSL server is to create a subclass of QTcpServer and reimplement QTcpServer::incomingConnection(). The returned socket descriptor is then passed to QSslSocket::setSocketDescriptor().

See also connectToHostEncrypted() and startClientEncryption().

[static, since 6.1] QList<QSsl::SupportedFeature> QSslSocket::supportedFeatures(const QString &backendName = {})

This function returns features supported by a backend named backendName. An empty backendName is understood as a query about the currently active backend.

This function was introduced in Qt 6.1.

See also QSsl::SupportedFeature and activeBackend().

[static, since 6.1] QList<QSsl::SslProtocol> QSslSocket::supportedProtocols(const QString &backendName = {})

If a backend with name backendName is available, this function returns the list of TLS protocol versions supported by this backend. An empty backendName is understood as a query about the currently active backend. Otherwise, this function returns an empty list.

This function was introduced in Qt 6.1.

See also availableBackends(), activeBackend(), and isProtocolSupported().

[static] bool QSslSocket::supportsSsl()

Returns true if this platform supports SSL; otherwise, returns false. If the platform doesn't support SSL, the socket will fail in the connection phase.

[override virtual] bool QSslSocket::waitForBytesWritten(int msecs = 30000)

Reimplements: QAbstractSocket::waitForBytesWritten(int msecs).

[override virtual] bool QSslSocket::waitForConnected(int msecs = 30000)

Reimplements: QAbstractSocket::waitForConnected(int msecs).

Waits until the socket is connected, or msecs milliseconds, whichever happens first. If the connection has been established, this function returns true; otherwise it returns false.

See also QAbstractSocket::waitForConnected().

[override virtual] bool QSslSocket::waitForDisconnected(int msecs = 30000)

Reimplements: QAbstractSocket::waitForDisconnected(int msecs).

Waits until the socket has disconnected or msecs milliseconds, whichever comes first. If the connection has been disconnected, this function returns true; otherwise it returns false.

See also QAbstractSocket::waitForDisconnected().

bool QSslSocket::waitForEncrypted(int msecs = 30000)

Waits until the socket has completed the SSL handshake and has emitted encrypted(), or msecs milliseconds, whichever comes first. If encrypted() has been emitted, this function returns true; otherwise (e.g., the socket is disconnected, or the SSL handshake fails), false is returned.

The following example waits up to one second for the socket to be encrypted:

 socket->connectToHostEncrypted("imap", 993);
 if (socket->waitForEncrypted(1000))
     qDebug("Encrypted!");

If msecs is -1, this function will not time out.

See also startClientEncryption(), startServerEncryption(), encrypted(), and isEncrypted().

[override virtual] bool QSslSocket::waitForReadyRead(int msecs = 30000)

Reimplements: QAbstractSocket::waitForReadyRead(int msecs).

[override virtual protected] qint64 QSslSocket::writeData(const char *data, qint64 len)

Reimplements: QAbstractSocket::writeData(const char *data, qint64 size).

Related Non-Members

[since 6.0] enum class AlertLevel

Describes the level of an alert message

This enum describes the level of an alert message that was sent or received.

ConstantValueDescription
QSslSocket::AlertLevel::Warning0Non-fatal alert message
QSslSocket::AlertLevel::Fatal1Fatal alert message, the underlying backend will handle such an alert properly and close the connection.
QSslSocket::AlertLevel::Unknown2An alert of unknown level of severity.

This enum was introduced in Qt 6.0.

[since 6.0] enum class AlertType

Enumerates possible codes that an alert message can have

See RFC 8446, section 6 for the possible values and their meaning.

ConstantValueDescription
QSslSocket::AlertType::CloseNotify0,
QSslSocket::AlertType::UnexpectedMessage10 
QSslSocket::AlertType::BadRecordMac20 
QSslSocket::AlertType::RecordOverflow22 
QSslSocket::AlertType::DecompressionFailure30 
QSslSocket::AlertType::HandshakeFailure40 
QSslSocket::AlertType::NoCertificate41 
QSslSocket::AlertType::BadCertificate42 
QSslSocket::AlertType::UnsupportedCertificate43 
QSslSocket::AlertType::CertificateRevoked44 
QSslSocket::AlertType::CertificateExpired45 
QSslSocket::AlertType::CertificateUnknown46 
QSslSocket::AlertType::IllegalParameter47 
QSslSocket::AlertType::UnknownCa48 
QSslSocket::AlertType::AccessDenied49 
QSslSocket::AlertType::DecodeError50 
QSslSocket::AlertType::DecryptError51 
QSslSocket::AlertType::ExportRestriction60 
QSslSocket::AlertType::ProtocolVersion70 
QSslSocket::AlertType::InsufficientSecurity71 
QSslSocket::AlertType::InternalError80 
QSslSocket::AlertType::InappropriateFallback86 
QSslSocket::AlertType::UserCancelled90 
QSslSocket::AlertType::NoRenegotiation100 
QSslSocket::AlertType::MissingExtension109 
QSslSocket::AlertType::UnsupportedExtension110 
QSslSocket::AlertType::CertificateUnobtainable111 
QSslSocket::AlertType::UnrecognizedName112 
QSslSocket::AlertType::BadCertificateStatusResponse113 
QSslSocket::AlertType::BadCertificateHashValue114 
QSslSocket::AlertType::UnknownPskIdentity115 
QSslSocket::AlertType::CertificateRequired116 
QSslSocket::AlertType::NoApplicationProtocol120 
QSslSocket::AlertType::UnknownAlertMessage255 

This enum was introduced in Qt 6.0.

[since 6.1] enum class ImplementedClass

Enumerates classes that a TLS backend implements

In QtNetwork, some classes have backend-specific implementation and thus can be left unimplemented. Enumerators in this enum indicate, which class has a working implementation in the backend.

ConstantValueDescription
QSslSocket::ImplementedClass::Key0Class QSslKey.
QSslSocket::ImplementedClass::Certificate1Class QSslCertificate.
QSslSocket::ImplementedClass::Socket2Class QSslSocket.
QSslSocket::ImplementedClass::DiffieHellman3Class QSslDiffieHellmanParameters.
QSslSocket::ImplementedClass::EllipticCurve4Class QSslEllipticCurve.
QSslSocket::ImplementedClass::Dtls5Class QDtls.
QSslSocket::ImplementedClass::DtlsCookie6Class QDtlsClientVerifier.

This enum was introduced in Qt 6.1.

[since 6.1] enum class SupportedFeature

Enumerates possible features that a TLS backend supports

In QtNetwork TLS-related classes have public API, that may be left unimplemented by some backend, for example, our SecureTransport backend does not support server-side ALPN. Enumerators from SupportedFeature enum indicate that a particular feature is supported.

ConstantValueDescription
QSslSocket::SupportedFeature::CertificateVerification0Indicates that QSslCertificate::verify() is implemented by the backend.
QSslSocket::SupportedFeature::ClientSideAlpn1Client-side ALPN (Application Layer Protocol Negotiation).
QSslSocket::SupportedFeature::ServerSideAlpn2Server-side ALPN.
QSslSocket::SupportedFeature::Ocsp3OCSP stapling (Online Certificate Status Protocol).
QSslSocket::SupportedFeature::Psk4Pre-shared keys.
QSslSocket::SupportedFeature::SessionTicket5Session tickets.
QSslSocket::SupportedFeature::Alerts6Information about alert messages sent and received.

This enum was introduced in Qt 6.1.