[Qt-interest] https with self-signing cert

Bryce Allen qt at bda.ath.cx
Fri Feb 5 21:49:14 CET 2010 

> > A self-signed cert triggers several errors. You probably didn't
> > ignore all of them.

>I recommend checking the list of errors that are produced, like Konrad
>says. You're probably getting two more errors (unknown CA and CA not
>trusted for this purpose).

>And note that QSslErrors carry a QSslCertificate as well. You may need
>to construct the error code differently.

Thanks for the advice. I checked and at least on my platform, with a
self-signed server cert (not elsewhere in the trust chain), the only
error triggered is 9/SelfSignedCertificate.

However I did notice that when I tried to ignore SSL error 9 the
response error changed from 6 (SslHandshakeFailedError) to 99
(UnknownNetworkError), I got the ssl error 9 twice instead of once, and
I had some child segfaults in my apache log. I restarted apache and my
code started working without modification. Moral of the story - if you
get error 99, try restarting the server. I also changed my SSL virtual
host error log to a different file than the main server config, not
sure if this had anything to do with it or if it just needed a
restart.

To summarize, all of these three approaches work:

1) Ignore all ssl errors (very bad idea, but useful for testing):

QNetworkReply *reply = manager->get(request);
reply->ignoreSslErrors();

2) Ignore only ssl error 9 (SelfSignedCertificate) with the
certificate specified, as suggested in the documentation:
http://doc.qt.nokia.com/4.6/qnetworkreply.html#ignoreSslErrors-2

This is really what you should use in most cases when using
self-signing certs. It did not work when I omitted the certificate (i.e.
attempted to ignore all self-signed certificate errors). The next
approach works for that, but is pretty much always a bad idea.

3) Set the PeerVerifyMode of the ssl config on the request to
VerifyNone or QueryPeer. This is dangerous because you loose the server
authentication provided by SSL, but it might be useful for testing.

QNetworkRequest request;
request.setUrl(QUrl("https://localhost/"));
QSslConfiguration config = QSslConfiguration::defaultConfiguration();
config.setPeerVerifyMode(QSslSocket::QueryPeer);
request.setSslConfiguration(config);

Hope this is helpful for someone.

-Bryce

More information about the Qt-interest-old mailing list