[Interest] SslServer issues

Francesco Lamonica alienpenguin at gmail.com
Wed Feb 27 10:35:45 CET 2013 

Hello Rich,

thanks for your answer

i'll add a bit of code to make things clearer :)


Upon connection the socket fires onSslErrors() SLOT and there i see the
"untrusted / self-signed cert" error message.
In the slot i never siwtch to the codepaths where ignoreSslErrors() is
invoked.

Can you point me what i am doing wrong?

thanks

/*!
  \brief we overload the virtual QTcpServer::incomingConnection(int) method
in order to start the SSL Encryption
  */
void
SslServer::incomingConnection(int socketDescriptor)
{
    //qDebug() << "############### server reports ssl socket on descriptor:
" << socketDescriptor;
    QSslSocket *serverSocket = new QSslSocket;
    qDebug() << "using ssl socket at address " << serverSocket;
    if (serverSocket->setSocketDescriptor(socketDescriptor)) {
     qDebug() << "Incoming connection from " <<
serverSocket->peerAddress().toString() << ":" << serverSocket->peerPort();
     connect(serverSocket, SIGNAL(encrypted()), this, SLOT(ready()));
     connect(serverSocket,
SIGNAL(error(QAbstractSocket::SocketError)),this,SLOT(onTcpError(QAbstractSocket::SocketError)));
     connect(serverSocket,
SIGNAL(sslErrors(QList<QSslError>)),this,SLOT(onSslErrors(QList<QSslError>)));
     serverSocket->setLocalCertificate(m_ServerConfig.certfile, QSsl::Pem);
     serverSocket->setPrivateKey(m_ServerConfig.keyfile, QSsl::Rsa,
QSsl::Pem, "srv_certificate");

     if(!serverSocket->localCertificate().isValid()) {
         *m_flogger << UNQL::LOG_CRITICAL << "Invalid certificate " <<
m_ServerConfig.certfile << UNQL::eom;
         *m_clogger << UNQL::LOG_CRITICAL << "Invalid certificate " <<
m_ServerConfig.certfile << UNQL::eom;
     }
     if(serverSocket->privateKey().isNull()) {
         *m_flogger << UNQL::LOG_CRITICAL << "Invalid private key (NULL)"
<< m_ServerConfig.keyfile << UNQL::eom;
         *m_clogger << UNQL::LOG_CRITICAL << "Invalid private key (NULL)"
<< m_ServerConfig.keyfile << UNQL::eom;
     }

     qDebug() << serverSocket->privateKey();
     qDebug() << serverSocket->localCertificate();
     serverSocket->startServerEncryption();

#if (QT_VERSION > 0x040700)
     this->addPendingConnection(serverSocket); //this does not work with qt
< 4.7
#else
     m_sslSocketQ.enqueue(serverSocket);
#endif
    } else {
     delete serverSocket;
    }
}

void SslServer::onSslErrors(QList<QSslError> aErrorList)
{
    qDebug() << "ssl error " << aErrorList;
    QList<QSslError> errorsToIgnore;

    foreach (QSslError se, aErrorList) {
        qDebug() << se.errorString();
        *m_flogger << UNQL::LOG_CRITICAL << "Server reports SSL error: " <<
se.errorString() << UNQL::eom;
        *m_clogger << UNQL::LOG_CRITICAL << "Server reports SSL error: " <<
se.errorString() << UNQL::eom;
        if (se.error()==QSslError::SelfSignedCertificate ||
se.error()==QSslError::SelfSignedCertificateInChain)
        {
            if (m_ServerConfig.allowUntrustedCerts) {
                qDebug() << "Cert is SelfSigned... but we're ok with
that...";
                *m_flogger << UNQL::LOG_INFO << "Client certificate is
untrusted but we're ok with that" << UNQL::eom;
                *m_clogger << UNQL::LOG_INFO << "Client certificate is
untrusted but we're ok with that"  << UNQL::eom;
                errorsToIgnore << se;
            }
        }
    }
    QSslSocket *sslsock = (QSslSocket*) sender();
    if (m_ServerConfig.ignoreSslErrors) {
        *m_flogger << UNQL::LOG_WARNING << "There were SSL errors but
server is configured to ignore them all" << UNQL::eom;
        *m_clogger << UNQL::LOG_WARNING << "There were SSL errors but
server is configured to ignore them all" << UNQL::eom;
        sslsock->ignoreSslErrors();
    }
    else {
        *m_flogger << UNQL::LOG_WARNING << "Ignoring some SSL errors..." <<
UNQL::eom;
        *m_clogger << UNQL::LOG_WARNING << "Ignoring some SSL errors..." <<
UNQL::eom;
        if (errorsToIgnore.count()>0)
            sslsock->ignoreSslErrors(errorsToIgnore);
    }
    qDebug() << "socket is encrypted: " << sslsock->isEncrypted();
}


On Sat, Feb 23, 2013 at 4:54 PM, Richard Moore <rich at kde.org> wrote:

> On 21 February 2013 18:32, Francesco Lamonica <alienpenguin at gmail.com>
> wrote:
> > i've implemented a simple SslServer inheriting from QTcpServer and
> > overriding the incomingConnection() as suggested from the documentation.
> > However i am stumbling on a strange problem: QSslSocket fires correctly
> the
> > sslErrors() signal for a "self-signed certificate" but even though i do
> not
> > call ignoreSslErrors() at any time the connection is not dropped (as it
> said
> > it should on the docs)
> > Any ideas what i might check?
>
> You'll need to make your question much clearer. A server socket
> doesn't verify it's own certificate, that is something done by the
> client. Any certificate verification done by the server is of the
> chain provided by the client.
>
> Cheers
>
> Rich.
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/interest
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20130227/d018839a/attachment.html>

More information about the Interest mailing list