Error using SSL connection
SirHeisenberg opened this issue · comments
Hello, I've been struggling with SSL connection, can't make it work.
This is my code:
QFile certFile ("/home/yeray/Escritorio/QT_Proyectos/cliente_qt/omron_fins_2/caaa.crt");
QFile keyFile ("/home/yeray/Escritorio/QT_Proyectos/cliente_qt/omron_fins_2/caaa.key");
certFile.open (QIODevice::ReadOnly);
keyFile.open (QIODevice::ReadOnly);
QSslCertificate certificate (&certFile, QSsl::Pem);
QList<QSslCertificate> certificates;
certificates.append(certificate);
QByteArray passPhrase("prueba12345+");
QSslKey sslKey (&keyFile, QSsl::Rsa, QSsl::Pem,QSsl::PrivateKey,passPhrase);
certFile.close();
keyFile.close();
QSslConfiguration sslConfiguration = QSslConfiguration::defaultConfiguration();
sslConfiguration.setPeerVerifyMode (QSslSocket::AutoVerifyPeer);
sslConfiguration.setCaCertificates(certificates);
sslConfiguration.setPrivateKey (sslKey);
sslConfiguration.setProtocol (QSsl::TlsV1SslV3);
m_client = new QMQTT::Client("192.168.20.5", 8883, sslConfiguration);
The QSslConfiguration can perfectly read the certificate and key since certificados[0].issuerDisplayName()
contains the issuer name and sslConfiguration.privateKey().isNull()
is false.
However I got client error 14.
This error only happens with:
sslConfiguration.setPeerVerifyMode (QSslSocket::AutoVerifyPeer)
and sslConfiguration.setPeerVerifyMode (QSslSocket::VerifyPeer)
While with:
sslConfiguration.setPeerVerifyMode (QSslSocket::QueryPeer)
and sslConfiguration.setPeerVerifyMode (QSslSocket::VerifyNone)
works fine
The certificate is from server's side, so there is no client side certificate authentication set yet.
Thanks.
Reassigning to @ejvr, our SSL expert.
Hmm, SSL export is a bit over the top I fear. Anyway, I know that certificates are usually tied to a hostname and won't work if you use its IP address instead when connecting. That may be the case here.
@ejvr so how could I connect using both, a certificate and an IP, since the IP is mandatory?
I guess this is not possible within TLS/SSL, you are always required to use the hostname respectively DNS address. In case you have no DNS infrastructure in place try to add an appropriate /etc/hosts entry, I think it should do.
During creation of CA-certificate you have to specify a host name. You should use that host name instead of the IP address when creating the client.