Error using SSL connection

Question

Error using SSL connection

SirHeisenberg opened this issue 5 years ago · comments

Hello, I've been struggling with SSL connection, can't make it work.

This is my code:

  QFile certFile ("/home/yeray/Escritorio/QT_Proyectos/cliente_qt/omron_fins_2/caaa.crt");
  QFile keyFile ("/home/yeray/Escritorio/QT_Proyectos/cliente_qt/omron_fins_2/caaa.key");

  certFile.open (QIODevice::ReadOnly);
  keyFile.open (QIODevice::ReadOnly);

  QSslCertificate certificate (&certFile, QSsl::Pem);
  
  QList<QSslCertificate> certificates;
  certificates.append(certificate);
 
  QByteArray passPhrase("prueba12345+");
  QSslKey sslKey (&keyFile, QSsl::Rsa, QSsl::Pem,QSsl::PrivateKey,passPhrase);

  certFile.close();
  keyFile.close();

  QSslConfiguration sslConfiguration = QSslConfiguration::defaultConfiguration();
  
  sslConfiguration.setPeerVerifyMode (QSslSocket::AutoVerifyPeer);
  sslConfiguration.setCaCertificates(certificates);
  sslConfiguration.setPrivateKey (sslKey);
  sslConfiguration.setProtocol (QSsl::TlsV1SslV3);

  m_client = new QMQTT::Client("192.168.20.5", 8883, sslConfiguration);

The QSslConfiguration can perfectly read the certificate and key since certificados[0].issuerDisplayName() contains the issuer name and sslConfiguration.privateKey().isNull() is false.

However I got client error 14.

This error only happens with:
sslConfiguration.setPeerVerifyMode (QSslSocket::AutoVerifyPeer) and sslConfiguration.setPeerVerifyMode (QSslSocket::VerifyPeer)

While with:
sslConfiguration.setPeerVerifyMode (QSslSocket::QueryPeer) and sslConfiguration.setPeerVerifyMode (QSslSocket::VerifyNone) works fine

The certificate is from server's side, so there is no client side certificate authentication set yet.

Thanks.

Matthias Dieter Wallnöfer · Answer 1 · Tue Nov 05 2019 21:12:45 GMT+0800 (China Standard Time)

Reassigning to @ejvr, our SSL expert.

ejvr · Answer 2 · Fri Nov 08 2019 03:06:16 GMT+0800 (China Standard Time)

Hmm, SSL export is a bit over the top I fear. Anyway, I know that certificates are usually tied to a hostname and won't work if you use its IP address instead when connecting. That may be the case here.

SirHeisenberg · Answer 3 · Fri Nov 08 2019 14:32:02 GMT+0800 (China Standard Time)

@ejvr so how could I connect using both, a certificate and an IP, since the IP is mandatory?

Matthias Dieter Wallnöfer · Answer 4 · Fri Nov 08 2019 21:22:35 GMT+0800 (China Standard Time)

I guess this is not possible within TLS/SSL, you are always required to use the hostname respectively DNS address. In case you have no DNS infrastructure in place try to add an appropriate /etc/hosts entry, I think it should do.

ejvr · Answer 5 · Sat Nov 09 2019 18:16:45 GMT+0800 (China Standard Time)

During creation of CA-certificate you have to specify a host name. You should use that host name instead of the IP address when creating the client.