13 files changed, 84 insertions, 15 deletions

diff --git a/src/network/doc/snippets/code/src_network_ssl_qsslconfiguration.cpp b/src/network/doc/snippets/code/src_network_ssl_qsslconfiguration.cpp
index b857a57a635..57640297515 100644
--- a/src/network/doc/snippets/code/src_network_ssl_qsslconfiguration.cpp
+++ b/src/network/doc/snippets/code/src_network_ssl_qsslconfiguration.cpp
@@ -50,7 +50,7 @@
 
 //! [0]
 QSslConfiguration config = sslSocket.sslConfiguration();
-config.setProtocol(QSsl::TlsV1_0);
+config.setProtocol(QSsl::TlsV1_2);
 sslSocket.setSslConfiguration(config);
 //! [0]
 
diff --git a/src/network/ssl/qssl.h b/src/network/ssl/qssl.h
index ba8dc16d17e..e54f886074c 100644
--- a/src/network/ssl/qssl.h
+++ b/src/network/ssl/qssl.h
@@ -73,18 +73,18 @@ namespace QSsl {
     };
 
     enum SslProtocol {
-        TlsV1_0,
-        TlsV1_1,
+        TlsV1_0 QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."),
+        TlsV1_1 QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."),
         TlsV1_2,
         AnyProtocol,
         SecureProtocols,
 
-        TlsV1_0OrLater,
-        TlsV1_1OrLater,
+        TlsV1_0OrLater QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."),
+        TlsV1_1OrLater QT_DEPRECATED_VERSION_X_6_3("Use TlsV1_2OrLater instead."),
         TlsV1_2OrLater,
 
-        DtlsV1_0,
-        DtlsV1_0OrLater,
+        DtlsV1_0 QT_DEPRECATED_VERSION_X_6_3("Use DtlsV1_2OrLater instead."),
+        DtlsV1_0OrLater QT_DEPRECATED_VERSION_X_6_3("Use DtlsV1_2OrLater instead."),
         DtlsV1_2,
         DtlsV1_2OrLater,
 
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index 916774db04e..9684e3477e6 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -107,7 +107,7 @@ const char QSslConfiguration::NextProtocolHttp1_1[] = "http/1.1";
     change the settings in the related SSL connection. You must call
     setSslConfiguration on a modified QSslConfiguration object to
     achieve that. The following example illustrates how to change the
-    protocol to TLSv1_0 in a QSslSocket object:
+    protocol to TLSv1_2 in a QSslSocket object:
 
     \snippet code/src_network_ssl_qsslconfiguration.cpp 0
 
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 003bbf07871..0427365b7f2 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -2092,6 +2092,8 @@ bool QSslSocketPrivate::verifyProtocolSupported(const char *where)
         // Should not be used when configuring QSslSocket.
         protocolName = QLatin1String("UnknownProtocol");
         Q_FALLTHROUGH();
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case QSsl::DtlsV1_0:
     case QSsl::DtlsV1_2:
     case QSsl::DtlsV1_0OrLater:
@@ -2100,6 +2102,7 @@ bool QSslSocketPrivate::verifyProtocolSupported(const char *where)
         setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError,
                         QSslSocket::tr("Attempted to use an unsupported protocol."));
         return false;
+QT_WARNING_POP
     default:
         return true;
     }
diff --git a/src/network/ssl/qtlsbackend.cpp b/src/network/ssl/qtlsbackend.cpp
index 9733168aab9..e4b7a718efb 100644
--- a/src/network/ssl/qtlsbackend.cpp
+++ b/src/network/ssl/qtlsbackend.cpp
@@ -808,6 +808,8 @@ QSslCipher QTlsBackend::createCiphersuite(const QString &descriptionOneLine, int
         QString protoString = descriptionList.at(1).toString();
         ciph.d->protocolString = protoString;
         ciph.d->protocol = QSsl::UnknownProtocol;
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
         if (protoString == QLatin1String("TLSv1"))
             ciph.d->protocol = QSsl::TlsV1_0;
         else if (protoString == QLatin1String("TLSv1.1"))
@@ -816,6 +818,7 @@ QSslCipher QTlsBackend::createCiphersuite(const QString &descriptionOneLine, int
             ciph.d->protocol = QSsl::TlsV1_2;
         else if (protoString == QLatin1String("TLSv1.3"))
             ciph.d->protocol = QSsl::TlsV1_3;
+QT_WARNING_POP
 
         if (descriptionList.at(2).startsWith(QLatin1String("Kx=")))
             ciph.d->keyExchangeMethod = descriptionList.at(2).mid(3).toString();
diff --git a/src/plugins/tls/openssl/qdtls_openssl.cpp b/src/plugins/tls/openssl/qdtls_openssl.cpp
index 55a82f7fd4f..d8b850f5760 100644
--- a/src/plugins/tls/openssl/qdtls_openssl.cpp
+++ b/src/plugins/tls/openssl/qdtls_openssl.cpp
@@ -1421,9 +1421,12 @@ void QDtlsPrivateOpenSSL::fetchNegotiatedParameters()
     // TLS 1.2, that's how it's set by OpenSSL (and that's what they are?).
 
     switch (q_SSL_version(dtls.tlsConnection.data())) {
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case DTLS1_VERSION:
         sessionProtocol = QSsl::DtlsV1_0;
         break;
+QT_WARNING_POP
     case DTLS1_2_VERSION:
         sessionProtocol = QSsl::DtlsV1_2;
         break;
diff --git a/src/plugins/tls/openssl/qsslcontext_openssl.cpp b/src/plugins/tls/openssl/qsslcontext_openssl.cpp
index c0afc32e47b..dae87374cbf 100644
--- a/src/plugins/tls/openssl/qsslcontext_openssl.cpp
+++ b/src/plugins/tls/openssl/qsslcontext_openssl.cpp
@@ -102,13 +102,16 @@ long QSslContext::setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptio
 {
     long options;
     switch (protocol) {
-    case QSsl::SecureProtocols:
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case QSsl::TlsV1_0OrLater:
         options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
         break;
     case QSsl::TlsV1_1OrLater:
         options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1;
         break;
+QT_WARNING_POP
+    case QSsl::SecureProtocols:
     case QSsl::TlsV1_2OrLater:
         options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
         break;
@@ -363,8 +366,11 @@ void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mo
     bool isDtls = false;
 init_context:
     switch (sslContext->sslConfiguration.protocol()) {
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case QSsl::DtlsV1_0:
     case QSsl::DtlsV1_0OrLater:
+QT_WARNING_POP
     case QSsl::DtlsV1_2:
     case QSsl::DtlsV1_2OrLater:
 #if QT_CONFIG(dtls)
@@ -419,6 +425,8 @@ init_context:
     long maxVersion = anyVersion;
 
     switch (sslContext->sslConfiguration.protocol()) {
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case QSsl::TlsV1_0:
         minVersion = TLS1_VERSION;
         maxVersion = TLS1_VERSION;
@@ -427,6 +435,7 @@ init_context:
         minVersion = TLS1_1_VERSION;
         maxVersion = TLS1_1_VERSION;
         break;
+QT_WARNING_POP
     case QSsl::TlsV1_2:
         minVersion = TLS1_2_VERSION;
         maxVersion = TLS1_2_VERSION;
@@ -443,7 +452,8 @@ init_context:
         break;
     // Ranges:
     case QSsl::AnyProtocol:
-    case QSsl::SecureProtocols:
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case QSsl::TlsV1_0OrLater:
         minVersion = TLS1_VERSION;
         maxVersion = 0;
@@ -452,10 +462,14 @@ init_context:
         minVersion = TLS1_1_VERSION;
         maxVersion = 0;
         break;
+QT_WARNING_POP
+    case QSsl::SecureProtocols:
     case QSsl::TlsV1_2OrLater:
         minVersion = TLS1_2_VERSION;
         maxVersion = 0;
         break;
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case QSsl::DtlsV1_0:
         minVersion = DTLS1_VERSION;
         maxVersion = DTLS1_VERSION;
@@ -464,6 +478,7 @@ init_context:
         minVersion = DTLS1_VERSION;
         maxVersion = DTLS_MAX_VERSION;
         break;
+QT_WARNING_POP
     case QSsl::DtlsV1_2:
         minVersion = DTLS1_2_VERSION;
         maxVersion = DTLS1_2_VERSION;
diff --git a/src/plugins/tls/openssl/qtls_openssl.cpp b/src/plugins/tls/openssl/qtls_openssl.cpp
index 339973f9e9e..dbbd9b29a86 100644
--- a/src/plugins/tls/openssl/qtls_openssl.cpp
+++ b/src/plugins/tls/openssl/qtls_openssl.cpp
@@ -1159,10 +1159,13 @@ QSsl::SslProtocol TlsCryptographOpenSSL::sessionProtocol() const
 
     const int ver = q_SSL_version(ssl);
     switch (ver) {
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case 0x301:
         return QSsl::TlsV1_0;
     case 0x302:
         return QSsl::TlsV1_1;
+QT_WARNING_POP
     case 0x303:
         return QSsl::TlsV1_2;
     case 0x304:
diff --git a/src/plugins/tls/openssl/qtlsbackend_openssl.cpp b/src/plugins/tls/openssl/qtlsbackend_openssl.cpp
index 7711f66bb51..0f364929b33 100644
--- a/src/plugins/tls/openssl/qtlsbackend_openssl.cpp
+++ b/src/plugins/tls/openssl/qtlsbackend_openssl.cpp
@@ -291,10 +291,13 @@ QList<QSsl::SslProtocol> QTlsBackendOpenSSL::supportedProtocols() const
 
     protocols << QSsl::AnyProtocol;
     protocols << QSsl::SecureProtocols;
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     protocols << QSsl::TlsV1_0;
     protocols << QSsl::TlsV1_0OrLater;
     protocols << QSsl::TlsV1_1;
     protocols << QSsl::TlsV1_1OrLater;
+QT_WARNING_POP
     protocols << QSsl::TlsV1_2;
     protocols << QSsl::TlsV1_2OrLater;
 
@@ -304,8 +307,11 @@ QList<QSsl::SslProtocol> QTlsBackendOpenSSL::supportedProtocols() const
 #endif // TLS1_3_VERSION
 
 #if QT_CONFIG(dtls)
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     protocols << QSsl::DtlsV1_0;
     protocols << QSsl::DtlsV1_0OrLater;
+QT_WARNING_POP
     protocols << QSsl::DtlsV1_2;
     protocols << QSsl::DtlsV1_2OrLater;
 #endif // dtls
diff --git a/src/plugins/tls/schannel/qtls_schannel.cpp b/src/plugins/tls/schannel/qtls_schannel.cpp
index 9973f3ed0ed..d1eec00234a 100644
--- a/src/plugins/tls/schannel/qtls_schannel.cpp
+++ b/src/plugins/tls/schannel/qtls_schannel.cpp
@@ -176,8 +176,11 @@ QList<QSslCipher> defaultCiphers()
     // @temp (I hope), stolen from qsslsocket_winrt.cpp
     const QString protocolStrings[] = { QStringLiteral("TLSv1"), QStringLiteral("TLSv1.1"),
                                         QStringLiteral("TLSv1.2"), QStringLiteral("TLSv1.3") };
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     const QSsl::SslProtocol protocols[] = { QSsl::TlsV1_0, QSsl::TlsV1_1,
                                             QSsl::TlsV1_2, QSsl::TlsV1_3 };
+QT_WARNING_POP
     const int size = ARRAYSIZE(protocols);
     static_assert(size == ARRAYSIZE(protocolStrings));
     ciphers.reserve(size);
@@ -264,10 +267,13 @@ QList<QSsl::SslProtocol> QSchannelBackend::supportedProtocols() const
 
     protocols << QSsl::AnyProtocol;
     protocols << QSsl::SecureProtocols;
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     protocols << QSsl::TlsV1_0;
     protocols << QSsl::TlsV1_0OrLater;
     protocols << QSsl::TlsV1_1;
     protocols << QSsl::TlsV1_1OrLater;
+QT_WARNING_POP
     protocols << QSsl::TlsV1_2;
     protocols << QSsl::TlsV1_2OrLater;
 
@@ -430,9 +436,12 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol)
     switch (protocol) {
     case QSsl::UnknownProtocol:
         return DWORD(-1);
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case QSsl::DtlsV1_0:
-    case QSsl::DtlsV1_2:
     case QSsl::DtlsV1_0OrLater:
+QT_WARNING_POP
+    case QSsl::DtlsV1_2:
     case QSsl::DtlsV1_2OrLater:
         return DWORD(-1); // Not supported at the moment (@future)
     case QSsl::AnyProtocol:
@@ -440,12 +449,15 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol)
         if (supportsTls13())
             protocols |= SP_PROT_TLS1_3;
         break;
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case QSsl::TlsV1_0:
         protocols = SP_PROT_TLS1_0;
         break;
     case QSsl::TlsV1_1:
         protocols = SP_PROT_TLS1_1;
         break;
+QT_WARNING_POP
     case QSsl::TlsV1_2:
         protocols = SP_PROT_TLS1_2;
         break;
@@ -455,7 +467,8 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol)
         else
             protocols = DWORD(-1);
         break;
-    case QSsl::SecureProtocols: // TLS v1.0 and later is currently considered secure
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case QSsl::TlsV1_0OrLater:
         // For the "OrLater" protocols we fall through from one to the next, adding all of them
         // in ascending order
@@ -464,6 +477,8 @@ DWORD toSchannelProtocol(QSsl::SslProtocol protocol)
     case QSsl::TlsV1_1OrLater:
         protocols |= SP_PROT_TLS1_1;
         Q_FALLTHROUGH();
+QT_WARNING_POP
+    case QSsl::SecureProtocols: // TLS v1.2 and later is currently considered secure
     case QSsl::TlsV1_2OrLater:
         protocols |= SP_PROT_TLS1_2;
         Q_FALLTHROUGH();
@@ -504,8 +519,11 @@ QSsl::SslProtocol toQtSslProtocol(DWORD protocol)
         return q_protocol;                    \
     }
 
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     MAP_PROTOCOL(SP_PROT_TLS1_0, QSsl::TlsV1_0)
     MAP_PROTOCOL(SP_PROT_TLS1_1, QSsl::TlsV1_1)
+QT_WARNING_POP
     MAP_PROTOCOL(SP_PROT_TLS1_2, QSsl::TlsV1_2)
     MAP_PROTOCOL(SP_PROT_TLS1_3, QSsl::TlsV1_3)
 #undef MAP_PROTOCOL
diff --git a/src/plugins/tls/securetransport/qtls_st.cpp b/src/plugins/tls/securetransport/qtls_st.cpp
index 6741fbc5b26..3c23d675984 100644
--- a/src/plugins/tls/securetransport/qtls_st.cpp
+++ b/src/plugins/tls/securetransport/qtls_st.cpp
@@ -439,10 +439,13 @@ QSsl::SslProtocol TlsCryptographSecureTransport::sessionProtocol() const
     }
 
     switch (protocol) {
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case kTLSProtocol1:
         return QSsl::TlsV1_0;
     case kTLSProtocol11:
         return QSsl::TlsV1_1;
+QT_WARNING_POP
     case kTLSProtocol12:
         return QSsl::TlsV1_2;
     case kTLSProtocol13:
@@ -922,6 +925,8 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
 
     OSStatus err = errSecSuccess;
 
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     if (configuration.protocol() == QSsl::TlsV1_0) {
     #ifdef QSSLSOCKET_DEBUG
         qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.0";
@@ -936,6 +941,7 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
         err = SSLSetProtocolVersionMin(context, kTLSProtocol11);
         if (err == errSecSuccess)
             err = SSLSetProtocolVersionMax(context, kTLSProtocol11);
+QT_WARNING_POP
     } else if (configuration.protocol() == QSsl::TlsV1_2) {
     #ifdef QSSLSOCKET_DEBUG
         qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2";
@@ -950,9 +956,11 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
         err = SSLSetProtocolVersionMin(context, kTLSProtocol1);
     } else if (configuration.protocol() == QSsl::SecureProtocols) {
     #ifdef QSSLSOCKET_DEBUG
-        qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1 - TLSv1.2";
+        qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2";
     #endif
-        err = SSLSetProtocolVersionMin(context, kTLSProtocol1);
+        err = SSLSetProtocolVersionMin(context, kTLSProtocol12);
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     } else if (configuration.protocol() == QSsl::TlsV1_0OrLater) {
     #ifdef QSSLSOCKET_DEBUG
         qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1 - TLSv1.2";
@@ -963,6 +971,7 @@ bool TlsCryptographSecureTransport::setSessionProtocol()
         qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.1 - TLSv1.2";
     #endif
         err = SSLSetProtocolVersionMin(context, kTLSProtocol11);
+QT_WARNING_POP
     } else if (configuration.protocol() == QSsl::TlsV1_2OrLater) {
     #ifdef QSSLSOCKET_DEBUG
         qCDebug(lcTlsBackend) << plainSocket << "requesting : TLSv1.2";
@@ -999,11 +1008,14 @@ bool TlsCryptographSecureTransport::verifySessionProtocol() const
     if (configuration.protocol() == QSsl::AnyProtocol)
         protocolOk = true;
     else if (configuration.protocol() == QSsl::SecureProtocols)
-        protocolOk = (sessionProtocol() >= QSsl::TlsV1_0);
+        protocolOk = (sessionProtocol() >= QSsl::TlsV1_2);
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     else if (configuration.protocol() == QSsl::TlsV1_0OrLater)
         protocolOk = (sessionProtocol() >= QSsl::TlsV1_0);
     else if (configuration.protocol() == QSsl::TlsV1_1OrLater)
         protocolOk = (sessionProtocol() >= QSsl::TlsV1_1);
+QT_WARNING_POP
     else if (configuration.protocol() == QSsl::TlsV1_2OrLater)
         protocolOk = (sessionProtocol() >= QSsl::TlsV1_2);
     else if (configuration.protocol() == QSsl::TlsV1_3OrLater)
diff --git a/src/plugins/tls/securetransport/qtlsbackend_st.cpp b/src/plugins/tls/securetransport/qtlsbackend_st.cpp
index 7fc7692350f..b84faabcfa3 100644
--- a/src/plugins/tls/securetransport/qtlsbackend_st.cpp
+++ b/src/plugins/tls/securetransport/qtlsbackend_st.cpp
@@ -294,10 +294,13 @@ QList<QSsl::SslProtocol> QSecureTransportBackend::supportedProtocols() const
 
     protocols << QSsl::AnyProtocol;
     protocols << QSsl::SecureProtocols;
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     protocols << QSsl::TlsV1_0;
     protocols << QSsl::TlsV1_0OrLater;
     protocols << QSsl::TlsV1_1;
     protocols << QSsl::TlsV1_1OrLater;
+QT_WARNING_POP
     protocols << QSsl::TlsV1_2;
     protocols << QSsl::TlsV1_2OrLater;
 
diff --git a/src/plugins/tls/shared/qdtls_base.cpp b/src/plugins/tls/shared/qdtls_base.cpp
index 6a5979eb9e6..b27cac11d5d 100644
--- a/src/plugins/tls/shared/qdtls_base.cpp
+++ b/src/plugins/tls/shared/qdtls_base.cpp
@@ -99,8 +99,11 @@ QDtlsBasePrivate::cookieGeneratorParameters() const
 bool QDtlsBasePrivate::isDtlsProtocol(QSsl::SslProtocol protocol)
 {
     switch (protocol) {
+QT_WARNING_PUSH
+QT_WARNING_DISABLE_DEPRECATED
     case QSsl::DtlsV1_0:
     case QSsl::DtlsV1_0OrLater:
+QT_WARNING_POP
     case QSsl::DtlsV1_2:
     case QSsl::DtlsV1_2OrLater:
         return true;