Discussion:
[Interest] QSslSocket with a self-signed certificate
Konstantin Shegunov
2018-11-22 12:09:38 UTC
Permalink
Hello,
I'm struggling to get an SSL connection established between a server and a
client of mine using a self-signed certificate. The SSL handshake fails but
I can't seem to find out why. Here's what I did:

For the server:

1) I generated a key and certificate.
2) I've set them to the socket like this:
socket->setPrivateKey(keyFile);
socket->setLocalCertificate(certificateFile);
3) I call QSslSocket::startServerEncryption to get the handshake rolling.


For the client:

1) I used the server's certificate and loaded it (verified it loads
properly).
2) I set it to the socket with QSslSocket::addCaCertificate.
3) I call QSslSocket::startClientEncryption.


The problem is the client drops the connection with
QAbstractSocket::SslHandshakeFailedError, however I get nothing from the
QSslSocket::sslErrors signal (also nada from the method).

I observed, however, that the client socket raises the
QSslSocket::preSharedKeyAuthenticationRequired for some reason. As I don't
really handle this one (only debug output) I imagine this is the reason the
handshake fails. Nonetheless, I thought a PSK authentication shouldn't be
required whenever I provide a key and a certificate server-side.

Any ideas why is this failing and how to solve it?

Thanks in advance!
Kind regards.
Mårten Nordheim
2018-11-22 16:10:28 UTC
Permalink
Does it work if you call setProtocol(QSsl::TlsV1_2) on the client
socket/configuration before connecting?

The PSK emission you see sounds like OpenSSL 1.1.1 with TLS 1.3, but I
don't think it should fail the handshake, or at least don't remember
seeing it do that.

- Mårten
Post by Konstantin Shegunov
Hello,
I'm struggling to get an SSL connection established between a server and
a client of mine using a self-signed certificate. The SSL handshake
1) I generated a key and certificate.
socket->setPrivateKey(keyFile);
socket->setLocalCertificate(certificateFile);
3) I call QSslSocket::startServerEncryption to get the handshake rolling.
1) I used the server's certificate and loaded it (verified it loads
properly).
2) I set it to the socket with QSslSocket::addCaCertificate.
3) I call QSslSocket::startClientEncryption.
The problem is the client drops the connection with
QAbstractSocket::SslHandshakeFailedError, however I get nothing from the
QSslSocket::sslErrors signal (also nada from the method).
I observed, however, that the client socket raises the
QSslSocket::preSharedKeyAuthenticationRequired for some reason. As I
don't really handle this one (only debug output) I imagine this is the
reason the handshake fails. Nonetheless, I thought a PSK authentication
shouldn't be required whenever I provide a key and a certificate
server-side.
Any ideas why is this failing and how to solve it?
Thanks in advance!
Kind regards.
_______________________________________________
Interest mailing list
https://lists.qt-project.org/listinfo/interest
Konstantin Shegunov
2018-11-22 18:52:32 UTC
Permalink
Post by MÃ¥rten Nordheim
Does it work if you call setProtocol(QSsl::TlsV1_2) on the client
socket/configuration before connecting?
No, same error. I'm not 100% the problem is strictly the client because if
I run
$> openssl s_client -connect 127.0.0.1:7777 -tls1_2

I get the following:

CONNECTED(00000005)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 206 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1542911999
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---

While at the server side debug output I read:

QAbstractSocket::ConnectedState
QAbstractSocket::SocketError(13) : Encrypting the connection failed
QAbstractSocket::UnconnectedState

The PSK emission you see sounds like OpenSSL 1.1.1 with TLS 1.3, but I
Post by MÃ¥rten Nordheim
don't think it should fail the handshake, or at least don't remember
seeing it do that.
Indeed, the loaded library is openssl v1.1.1 from
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
Setting TLS 1.2 also emits preSharedKeyAuthenticationRequired, though.
Konstantin Shegunov
2018-11-23 07:15:45 UTC
Permalink
Post by Konstantin Shegunov
No, same error. I'm not 100% the problem is strictly the client
It turned out it isn't. The server didn't manifest the certificate at all
due to an error on my part - I gave it the wrong file path.
To add insult to injury QSslSocket::setLocalCertificate silently succeeds
whatever path you give it; no return status, no debug warning, no ssl
error, no nothing.

Still, thank you MÃ¥rten for the comment, I appreciate it nonetheless.
Loading...