[Qt-interest] Problems with CAFile using QSslSocket
Eduardo Robles Elvira
edulix at gmail.com
Sat Jul 24 00:02:40 CEST 2010
Hello everyone!
I'm trying to stablish a secure connection between a server and a
client. I'm using QSslSocket, QTcpServer etc. I've created my own
certificate, then my own CA Authority and signed the certificate with
it, following the steps shown in [1] and [2]. I've verified that the
signed PEM certificate is valid with openssl:
edulix at edulix-laptop .../sslsockets_example/certs/server_cert $
openssl verify -CaFile ca-cert.pem localhost.pem
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose
purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper
timestampsign Time Stamp signing
I execute the sslsockets_example_server and sslsockets_example_client
binaries in that directory too (sslsockets_example/certs/server_cert).
This is the output I get:
$ sslsockets_example_server
Listening on port 1025
SslServerConnection::SslServerConnection 8
caCertificates.first().subjectInfo(QSslCertificate::CommonName)
"Baltimore CyberTrust Mobile Root"
privateKey.isNull(): false
certificate.isNull(): false
SslServerConnection::stateChanged()
mode: 0
state: QAbstractSocket::ConnectedState
Calling startServerEncryption()
SslServerConnection::sslModeChanged() 2
SslServerConnection::sslErrors()
error: "The issuer certificate of a locally looked up certificate
could not be found"
error: "No certificates could be verified"
SslServerConnection::encrypted()
SslServerConnection::readyRead()
Read from socket: "hello"
$ sslsockets_example_client
caCertificates.first().subjectInfo(QSslCertificate::LocalityName) ""
SecureClient::start(); called to m_socket->connectToHostEncrypted
SecureClient::hostFound()
SecureClient::connected()
SecureClient::errorOccured()
SecureClient::connectionEstablished()
As you can notice I'm ignoring SSL errors otherwise it wouldn't work.
The problem as you can see is that even though the ca-cert.pem file is
being correctly put into a QSslCertificate object, there are problems
when using it in the QSslSocket; see the server complaining: "The
issuer certificate of a locally looked up certificate could not be
found".
I attach the whole code and the very certs I'm using so that you can
test it too..
Thanks in advance,
Eduardo Robles Elvira.
PD: First post in this list yay!
--
[1] http://sial.org/howto/openssl/ca/
[2] http://sial.org/howto/openssl/csr/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sslsockets_example.tar.bz2
Type: application/x-bzip2
Size: 15486 bytes
Desc: not available
Url : http://lists.qt-project.org/pipermail/qt-interest-old/attachments/20100724/ce8d2b7b/attachment.bz2
More information about the Qt-interest-old
mailing list