Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Get Qt Extensions
  • Unsolved
Collapse
Brand Logo
  1. Home
  2. Qt Development
  3. General and Desktop
  4. AC certificate not trusted during handshake
Forum Updated to NodeBB v4.3 + New Features

AC certificate not trusted during handshake

Scheduled Pinned Locked Moved Unsolved General and Desktop
qsslsocketqsslcertificateqsslconfigurati
1 Posts 1 Posters 295 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • H Offline
    H Offline
    hbob
    wrote on 7 Apr 2022, 12:12 last edited by
    #1

    I have two application (a client and a server) which communicate with QSslSocket (protocol TLS). I create a key and a certificate for my server. I sign the certificate with an AC. (I have also create the AC).

    #create AC
    $ openssl genrsa -des3 -out ca.key
    $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

    #create server key
    $ openssl genrsa -des3 -out server.key

    #create server certificate (sign by AC)
    $ openssl req -key server.key -new -out server.csr
    $ openssl x509 -days 365 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial

    I want my client verify the certificate of the server. My client :

    bool MyClient::Connect()
    {
        if(MySocket == nullptr)
        {
            MySocket = new QSslSocket();
        }
    
        //connect signal
        connect(MySocket, SIGNAL (sslErrors (QList<QSslError>)), this, SLOT (GererErreurs (QList<QSslError>)));
        ...
    
        MySocket->setProtocol(QSsl::TlsV1_2);
    
        QString path = "path/to/certificateSSL/";
        QSslConfiguration configuration = MySocket->sslConfiguration();
    
        QString ca = "ca.cert";
        if(configuration.addCaCertificates(chemin+ca) )
        {
            qDebug()<<"> CA OK";
        }
    
        MySocket->setSslConfiguration(configuration);
    
        MySocket->setPeerVerifyMode(QSslSocket::VerifyPeer);
        MySocket->setPeerVerifyName("myHostname");
        
        MySocket->abort();
    
        MySocket->connectToHostEncrypted(ServerAdress, static_cast<quint16> (PortServeur));
    
        if (!MySocket->waitForEncrypted(Timeout * 1000))
        {
            qDebug()<<("Error");
            return false;
        }
    
        qDebug()<<("Connexion client/serveur encrypted");
    
        ...
    }
    

    My server :

    void MyServeur::incomingConnection(qintptr descriptionSocket)
    {
        MySocket = new QSslSocket(this);
        MySocket->setSocketOption(QAbstractSocket::KeepAliveOption, 1);
    
        // signal connection
        ...
        
    
        QString path = "path/to/certificatsSSL/";
        QSslConfiguration configuration = Soquette->sslConfiguration();
    
        chargePrivateKey(path, configuration);
        if (!configuration.privateKey().isNull())
        {
            qDebug()<<"> Private key OK";
        }
    
        QString ca = "ca.cert";
        if(configuration.addCaCertificates(chemin+ca) )
        {
            qDebug() << "> CA OK";
        }
        
        chargeCertificate(path, configuration);
        if (!configuration.localCertificate().isNull())
        {
            qDebug() << "> server certificate OK";
        }
    
        MySocket->setSslConfiguration(configuration);
    
        MySocket->setPeerVerifyMode(QSslSocket::VerifyNone);
    
        MySocket->startServerEncryption();
    
        if (MySocket->waitForReadyRead (TIMEOUT_SOCKET * 1000) == false)
        {
            qDebug()<<"Notification de connexion cryptée du logiciel non-reçue";
            return;
        }
    
        qDebug()<<"Connection encrypted";
    }
    
    void MyServer::chargePrivateKey(const QString &chemin, QSslConfiguration &conf)
    {
        QString serverKey = "server.key";
        QFile   fileKey(chemin + serverKey);
        if (!fileKey.open(QIODevice::ReadOnly))
        {
            qDebug() << "error" << chemin + serverKey;
            return;
        }
        QSslKey key(&fileKey, QSsl::Rsa, QSsl::Pem, QSsl::PrivateKey, "password");
        fileKey.close();
        conf.setPrivateKey(key);
    }
    
    void MyServer::chargeCertificat(const QString &chemin, QSslConfiguration &conf)
    {
        QString serverCRT =  "server-signe.cert";
        QFile fileCertificat( chemin+serverCRT);
        if( ! fileCertificat.open( QIODevice::ReadOnly ) )
        {
            qDebug() << "Error"<<chemin+serverCRT ;
            return;
        }
        QSslCertificate certificate(&fileCertificat, QSsl::Pem);
        fileCertificat.close();
        conf.setLocalCertificate( certificate );
    }
    

    During the handshake, I have the error :

    QSslError::CertificateUntrusted : The root CA certificate is not trusted for this purpose
    

    I'm on MacOS I have add my AC in the keystore and the AC certificate is "reliable" enter image description here.
    9e901ed3-a5ee-4b45-be3b-55bd6c063d22-image.png https://i.stack.imgur.com/YeCix.png

    I have no problem on Windows or Linux.

    Moreover, if I try to ignore this error :

    QSslError error(QSslError::SelfSignedCertificate, certificate);
    	QList<QSslError> expectedSslErrors;
    	expectedSslErrors.append(error);
    	Soquette->ignoreSslErrors(expectedSslErrors);
    

    it doesn't change anything

    1 Reply Last reply
    0

    1/1

    7 Apr 2022, 12:12

    • Login

    • Login or register to search.
    1 out of 1
    • First post
      1/1
      Last post
    0
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Get Qt Extensions
    • Unsolved