[Qt-interest] QT and SSL certificates

Thu Feb 19 06:48:13 CET 2009

On Wednesday 18 February 2009 19:11:08 Scott Aron Bloom wrote:
> > -----Original Message-----
> > From: qt-interest-bounces at trolltech.com [mailto:qt-interest-
> > bounces at trolltech.com] On Behalf Of Andreas Roth
> > Sent: Wednesday, February 18, 2009 7:48 AM
> > To: Thiago Macieira; qt-interest at trolltech.com
> > Subject: Re: [Qt-interest] QT and SSL certificates
> >
> > On Wednesday 18 February 2009 15:13:25 you wrote:
> > > Andreas Roth wrote:
> > > >> Andreas Roth wrote:
> > > >>>Good morning,
> > > >>>
> > > >>>i'm using QT version 4.4.3 and i have a problem concerning
> > > >>> certificates. My apache2 webserver is set up with a SSL site and
>
> it
>
> > > >>> works fine with firefox and the openssl command line. E.g.
> > > >>>openssl s_client -connect myhostname:443 -CAfile cacert.pem
> > > >>>But when i use the securesocketclient example from QT, i get the
> > > >>> message 'the signature of the certificate is invalid'. I don't
>
> know
>
> > > >>> why and maybe somebody out here could tell me. Are there any
>
> special
>
> > > >>> checks for the certificate in QT?
> > > >>
> > > >> Can you post your modifications to the securesocketclient
>
> example? You
>
> > > >> mentioned your s_client command-line used the -CAfile switch, so
>
> you
>
> > > >> have to set the CA certificate list in the QSslSocket too.
> > > >
> > > >I haven't changed the securesocketclient example. I just installed
>
> the
>
> > > > CA certificate in /etc/ssl/certs.
> > > >If the CA certificate is not recognized i get the appropriate error
> > > >message and i know why. But the 'the signature of the certificate
>
> is
>
> > > >invalid' error is strange, since i do not know the reason for it.
> > >
> > > Qt doesn't read the certificates in there.
> > >
> > > If you don't enable the certificate explicitly with
>
> setCaCertificates, you
>
> > > don't get it.
> >
> > Thanks Thiago for the advise to add the certficate to the socket.
> > In sslclient.cpp i modifed the SslClient::secureConnect() method as
>
> follows:
> > void SslClient::secureConnect()
> > {
> >     if (!socket) {
> >         socket = new QSslSocket(this);
> >         connect(socket,
>
> SIGNAL(stateChanged(QAbstractSocket::SocketState)),
>
> >                 this,
>
> SLOT(socketStateChanged(QAbstractSocket::SocketState)));
>
> >         connect(socket, SIGNAL(encrypted()),
> >                 this, SLOT(socketEncrypted()));
> >         connect(socket, SIGNAL(sslErrors(QList<QSslError>)),
> >                 this, SLOT(sslErrors(QList<QSslError>)));
> >         connect(socket, SIGNAL(readyRead()),
> >                 this, SLOT(socketReadyRead()));
>
> socket->setCaCertificates(QSslSocket::systemCaCertificates ());
>
> socket->addCaCertificates("/etc/ssl/certs/arsoft_ca_root.pem");
>
> >     }
> >
> >     socket->connectToHostEncrypted(form->hostNameEdit->text(),
>
> form->portBox-
>
> > >value());
> >
> >     updateEnabledState();
> > }
> >
> > But still I get 'the signature of the certificate is invalid' errors.
>
> Any
>
> > further changes I need to do?
> >
> > Thanks,
> > Andreas
>
> Which error is it SSLSocket returning (specifically)
OpenSSL returned X509_V_ERR_CERT_SIGNATURE_FAILURE, which is translated into 
QSslError::CertificateSignatureFailed.
I tried to google the OpenSSL error code, but the only explanation i came up 
with was 'error during the verification of the certificate'. I want to know 
which field within the certificate is responsible for this issue.

> Is it possibly a self signed certificate?
The CA certificate is self-signed, but the server ceritificate is signed by the 
CA.

Thanks,
Andreas