[Interest] SslServer issues

Richard Moore rich at kde.org
Sat Mar 2 16:49:42 CET 2013 

Okay, that's a lot clearer. Unfortunately, the documentation here is
both confusing and arguably wrong. When operating as a server socket,
it is not required to do anything with the sslErrors(). I've thrown
together a little example here:

https://gitorious.org/qt-examples/qt-examples/trees/master/sslserver

As you can see I don't touch the ssl errors at all (though you're
correct that they're being emitted). When operating as a server
socket, you only need to deal with SSL errors when you're requesting a
client certificate (ie using QSslSocket::VerifyPeer). If we look at
the documentation for the verify mode we see this:

"The default mode is AutoVerifyPeer, which tells QSslSocket to use
VerifyPeer for clients and QueryPeer for servers."

This leads me to suspect that the SSL errors that are being emitted
are in fact due to the fact that client isn't presenting a certificate
(QueryPeer says it asks for, but does not require one), rather than to
do with the server chain at all. If I modify my example to dump the
errors, then connect to the server like this:

openssl s_client -connect localhost:4433 -key ca.key -cert ca.crt

Then the errors I see are actually those resulting from the key I've
provided with the openssl command line rather than those for the
server chain itself. I'll look into this a little further, but I think
that it's the correct explanation.

Regards

Rich.

On 27 February 2013 09:35, Francesco Lamonica <alienpenguin at gmail.com> wrote:
> Hello Rich,
>
> thanks for your answer
>
> i'll add a bit of code to make things clearer :)
>
>
> Upon connection the socket fires onSslErrors() SLOT and there i see the
> "untrusted / self-signed cert" error message.
> In the slot i never siwtch to the codepaths where ignoreSslErrors() is
> invoked.
>
> Can you point me what i am doing wrong?
>
> thanks
>
> /*!
>   \brief we overload the virtual QTcpServer::incomingConnection(int) method
> in order to start the SSL Encryption
>   */
> void
> SslServer::incomingConnection(int socketDescriptor)
> {
>     //qDebug() << "############### server reports ssl socket on descriptor:
> " << socketDescriptor;
>     QSslSocket *serverSocket = new QSslSocket;
>     qDebug() << "using ssl socket at address " << serverSocket;
>     if (serverSocket->setSocketDescriptor(socketDescriptor)) {
>      qDebug() << "Incoming connection from " <<
> serverSocket->peerAddress().toString() << ":" << serverSocket->peerPort();
>      connect(serverSocket, SIGNAL(encrypted()), this, SLOT(ready()));
>      connect(serverSocket,
> SIGNAL(error(QAbstractSocket::SocketError)),this,SLOT(onTcpError(QAbstractSocket::SocketError)));
>      connect(serverSocket,
> SIGNAL(sslErrors(QList<QSslError>)),this,SLOT(onSslErrors(QList<QSslError>)));
>      serverSocket->setLocalCertificate(m_ServerConfig.certfile, QSsl::Pem);
>      serverSocket->setPrivateKey(m_ServerConfig.keyfile, QSsl::Rsa,
> QSsl::Pem, "srv_certificate");
>
>      if(!serverSocket->localCertificate().isValid()) {
>          *m_flogger << UNQL::LOG_CRITICAL << "Invalid certificate " <<
> m_ServerConfig.certfile << UNQL::eom;
>          *m_clogger << UNQL::LOG_CRITICAL << "Invalid certificate " <<
> m_ServerConfig.certfile << UNQL::eom;
>      }
>      if(serverSocket->privateKey().isNull()) {
>          *m_flogger << UNQL::LOG_CRITICAL << "Invalid private key (NULL)" <<
> m_ServerConfig.keyfile << UNQL::eom;
>          *m_clogger << UNQL::LOG_CRITICAL << "Invalid private key (NULL)" <<
> m_ServerConfig.keyfile << UNQL::eom;
>      }
>
>      qDebug() << serverSocket->privateKey();
>      qDebug() << serverSocket->localCertificate();
>      serverSocket->startServerEncryption();
>
> #if (QT_VERSION > 0x040700)
>      this->addPendingConnection(serverSocket); //this does not work with qt
> < 4.7
> #else
>      m_sslSocketQ.enqueue(serverSocket);
> #endif
>     } else {
>      delete serverSocket;
>     }
> }
>
> void SslServer::onSslErrors(QList<QSslError> aErrorList)
> {
>     qDebug() << "ssl error " << aErrorList;
>     QList<QSslError> errorsToIgnore;
>
>     foreach (QSslError se, aErrorList) {
>         qDebug() << se.errorString();
>         *m_flogger << UNQL::LOG_CRITICAL << "Server reports SSL error: " <<
> se.errorString() << UNQL::eom;
>         *m_clogger << UNQL::LOG_CRITICAL << "Server reports SSL error: " <<
> se.errorString() << UNQL::eom;
>         if (se.error()==QSslError::SelfSignedCertificate ||
> se.error()==QSslError::SelfSignedCertificateInChain)
>         {
>             if (m_ServerConfig.allowUntrustedCerts) {
>                 qDebug() << "Cert is SelfSigned... but we're ok with
> that...";
>                 *m_flogger << UNQL::LOG_INFO << "Client certificate is
> untrusted but we're ok with that" << UNQL::eom;
>                 *m_clogger << UNQL::LOG_INFO << "Client certificate is
> untrusted but we're ok with that"  << UNQL::eom;
>                 errorsToIgnore << se;
>             }
>         }
>     }
>     QSslSocket *sslsock = (QSslSocket*) sender();
>     if (m_ServerConfig.ignoreSslErrors) {
>         *m_flogger << UNQL::LOG_WARNING << "There were SSL errors but server
> is configured to ignore them all" << UNQL::eom;
>         *m_clogger << UNQL::LOG_WARNING << "There were SSL errors but server
> is configured to ignore them all" << UNQL::eom;
>         sslsock->ignoreSslErrors();
>     }
>     else {
>         *m_flogger << UNQL::LOG_WARNING << "Ignoring some SSL errors..." <<
> UNQL::eom;
>         *m_clogger << UNQL::LOG_WARNING << "Ignoring some SSL errors..." <<
> UNQL::eom;
>         if (errorsToIgnore.count()>0)
>             sslsock->ignoreSslErrors(errorsToIgnore);
>     }
>     qDebug() << "socket is encrypted: " << sslsock->isEncrypted();
> }
>
>
> On Sat, Feb 23, 2013 at 4:54 PM, Richard Moore <rich at kde.org> wrote:
>>
>> On 21 February 2013 18:32, Francesco Lamonica <alienpenguin at gmail.com>
>> wrote:
>> > i've implemented a simple SslServer inheriting from QTcpServer and
>> > overriding the incomingConnection() as suggested from the documentation.
>> > However i am stumbling on a strange problem: QSslSocket fires correctly
>> > the
>> > sslErrors() signal for a "self-signed certificate" but even though i do
>> > not
>> > call ignoreSslErrors() at any time the connection is not dropped (as it
>> > said
>> > it should on the docs)
>> > Any ideas what i might check?
>>
>> You'll need to make your question much clearer. A server socket
>> doesn't verify it's own certificate, that is something done by the
>> client. Any certificate verification done by the server is of the
>> chain provided by the client.
>>
>> Cheers
>>
>> Rich.
>> _______________________________________________
>> Interest mailing list
>> Interest at qt-project.org
>> http://lists.qt-project.org/mailman/listinfo/interest
>
>

More information about the Interest mailing list