[Interest] SslServer issues

Francesco Lamonica alienpenguin at gmail.com
Wed Mar 6 22:26:17 CET 2013 

Hi Richard, thanks for your example, i'll try it soon.
However, the error message i get happens when the client presents the
certificate and server report it as "untrusted".
Still i do not understand, if ignoreSslError is never called, why the
connection is not dropped?


On Sat, Mar 2, 2013 at 4:49 PM, Richard Moore <rich at kde.org> wrote:

> Okay, that's a lot clearer. Unfortunately, the documentation here is
> both confusing and arguably wrong. When operating as a server socket,
> it is not required to do anything with the sslErrors(). I've thrown
> together a little example here:
>
> https://gitorious.org/qt-examples/qt-examples/trees/master/sslserver
>
> As you can see I don't touch the ssl errors at all (though you're
> correct that they're being emitted). When operating as a server
> socket, you only need to deal with SSL errors when you're requesting a
> client certificate (ie using QSslSocket::VerifyPeer). If we look at
> the documentation for the verify mode we see this:
>
> "The default mode is AutoVerifyPeer, which tells QSslSocket to use
> VerifyPeer for clients and QueryPeer for servers."
>
> This leads me to suspect that the SSL errors that are being emitted
> are in fact due to the fact that client isn't presenting a certificate
> (QueryPeer says it asks for, but does not require one), rather than to
> do with the server chain at all. If I modify my example to dump the
> errors, then connect to the server like this:
>
> openssl s_client -connect localhost:4433 -key ca.key -cert ca.crt
>
> Then the errors I see are actually those resulting from the key I've
> provided with the openssl command line rather than those for the
> server chain itself. I'll look into this a little further, but I think
> that it's the correct explanation.
>
> Regards
>
> Rich.
>
> On 27 February 2013 09:35, Francesco Lamonica <alienpenguin at gmail.com>
> wrote:
> > Hello Rich,
> >
> > thanks for your answer
> >
> > i'll add a bit of code to make things clearer :)
> >
> >
> > Upon connection the socket fires onSslErrors() SLOT and there i see the
> > "untrusted / self-signed cert" error message.
> > In the slot i never siwtch to the codepaths where ignoreSslErrors() is
> > invoked.
> >
> > Can you point me what i am doing wrong?
> >
> > thanks
> >
> > /*!
> >   \brief we overload the virtual QTcpServer::incomingConnection(int)
> method
> > in order to start the SSL Encryption
> >   */
> > void
> > SslServer::incomingConnection(int socketDescriptor)
> > {
> >     //qDebug() << "############### server reports ssl socket on
> descriptor:
> > " << socketDescriptor;
> >     QSslSocket *serverSocket = new QSslSocket;
> >     qDebug() << "using ssl socket at address " << serverSocket;
> >     if (serverSocket->setSocketDescriptor(socketDescriptor)) {
> >      qDebug() << "Incoming connection from " <<
> > serverSocket->peerAddress().toString() << ":" <<
> serverSocket->peerPort();
> >      connect(serverSocket, SIGNAL(encrypted()), this, SLOT(ready()));
> >      connect(serverSocket,
> >
> SIGNAL(error(QAbstractSocket::SocketError)),this,SLOT(onTcpError(QAbstractSocket::SocketError)));
> >      connect(serverSocket,
> >
> SIGNAL(sslErrors(QList<QSslError>)),this,SLOT(onSslErrors(QList<QSslError>)));
> >      serverSocket->setLocalCertificate(m_ServerConfig.certfile,
> QSsl::Pem);
> >      serverSocket->setPrivateKey(m_ServerConfig.keyfile, QSsl::Rsa,
> > QSsl::Pem, "srv_certificate");
> >
> >      if(!serverSocket->localCertificate().isValid()) {
> >          *m_flogger << UNQL::LOG_CRITICAL << "Invalid certificate " <<
> > m_ServerConfig.certfile << UNQL::eom;
> >          *m_clogger << UNQL::LOG_CRITICAL << "Invalid certificate " <<
> > m_ServerConfig.certfile << UNQL::eom;
> >      }
> >      if(serverSocket->privateKey().isNull()) {
> >          *m_flogger << UNQL::LOG_CRITICAL << "Invalid private key
> (NULL)" <<
> > m_ServerConfig.keyfile << UNQL::eom;
> >          *m_clogger << UNQL::LOG_CRITICAL << "Invalid private key
> (NULL)" <<
> > m_ServerConfig.keyfile << UNQL::eom;
> >      }
> >
> >      qDebug() << serverSocket->privateKey();
> >      qDebug() << serverSocket->localCertificate();
> >      serverSocket->startServerEncryption();
> >
> > #if (QT_VERSION > 0x040700)
> >      this->addPendingConnection(serverSocket); //this does not work with
> qt
> > < 4.7
> > #else
> >      m_sslSocketQ.enqueue(serverSocket);
> > #endif
> >     } else {
> >      delete serverSocket;
> >     }
> > }
> >
> > void SslServer::onSslErrors(QList<QSslError> aErrorList)
> > {
> >     qDebug() << "ssl error " << aErrorList;
> >     QList<QSslError> errorsToIgnore;
> >
> >     foreach (QSslError se, aErrorList) {
> >         qDebug() << se.errorString();
> >         *m_flogger << UNQL::LOG_CRITICAL << "Server reports SSL error: "
> <<
> > se.errorString() << UNQL::eom;
> >         *m_clogger << UNQL::LOG_CRITICAL << "Server reports SSL error: "
> <<
> > se.errorString() << UNQL::eom;
> >         if (se.error()==QSslError::SelfSignedCertificate ||
> > se.error()==QSslError::SelfSignedCertificateInChain)
> >         {
> >             if (m_ServerConfig.allowUntrustedCerts) {
> >                 qDebug() << "Cert is SelfSigned... but we're ok with
> > that...";
> >                 *m_flogger << UNQL::LOG_INFO << "Client certificate is
> > untrusted but we're ok with that" << UNQL::eom;
> >                 *m_clogger << UNQL::LOG_INFO << "Client certificate is
> > untrusted but we're ok with that"  << UNQL::eom;
> >                 errorsToIgnore << se;
> >             }
> >         }
> >     }
> >     QSslSocket *sslsock = (QSslSocket*) sender();
> >     if (m_ServerConfig.ignoreSslErrors) {
> >         *m_flogger << UNQL::LOG_WARNING << "There were SSL errors but
> server
> > is configured to ignore them all" << UNQL::eom;
> >         *m_clogger << UNQL::LOG_WARNING << "There were SSL errors but
> server
> > is configured to ignore them all" << UNQL::eom;
> >         sslsock->ignoreSslErrors();
> >     }
> >     else {
> >         *m_flogger << UNQL::LOG_WARNING << "Ignoring some SSL errors..."
> <<
> > UNQL::eom;
> >         *m_clogger << UNQL::LOG_WARNING << "Ignoring some SSL errors..."
> <<
> > UNQL::eom;
> >         if (errorsToIgnore.count()>0)
> >             sslsock->ignoreSslErrors(errorsToIgnore);
> >     }
> >     qDebug() << "socket is encrypted: " << sslsock->isEncrypted();
> > }
> >
> >
> > On Sat, Feb 23, 2013 at 4:54 PM, Richard Moore <rich at kde.org> wrote:
> >>
> >> On 21 February 2013 18:32, Francesco Lamonica <alienpenguin at gmail.com>
> >> wrote:
> >> > i've implemented a simple SslServer inheriting from QTcpServer and
> >> > overriding the incomingConnection() as suggested from the
> documentation.
> >> > However i am stumbling on a strange problem: QSslSocket fires
> correctly
> >> > the
> >> > sslErrors() signal for a "self-signed certificate" but even though i
> do
> >> > not
> >> > call ignoreSslErrors() at any time the connection is not dropped (as
> it
> >> > said
> >> > it should on the docs)
> >> > Any ideas what i might check?
> >>
> >> You'll need to make your question much clearer. A server socket
> >> doesn't verify it's own certificate, that is something done by the
> >> client. Any certificate verification done by the server is of the
> >> chain provided by the client.
> >>
> >> Cheers
> >>
> >> Rich.
> >> _______________________________________________
> >> Interest mailing list
> >> Interest at qt-project.org
> >> http://lists.qt-project.org/mailman/listinfo/interest
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20130306/fd4c09e3/attachment.html>

More information about the Interest mailing list