Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Get Qt Extensions
  • Unsolved
Collapse
Brand Logo
  1. Home
  2. Qt Development
  3. General and Desktop
  4. Qt5 client certificate authentication

Qt5 client certificate authentication

Scheduled Pinned Locked Moved General and Desktop
sslcertificatenetwork
4 Posts 2 Posters 3.8k Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A Offline
    A Offline
    adontz
    wrote on 25 Jun 2015, 01:25 last edited by
    #1

    I have Qt 5.4.0 on Windows 8.1 and Qt 5.4.2 on ArchLinux latest and get exactly the same result.

    I have web-site which requires client SSL certificate. Server seems to be configured properly since execution of

    openssl s_client -connect myserver:443 -cert client.crt -key client.key
    

    prints

    Verify return code: 0 (ok)
    

    Also,

     curl --cert client.pem https://myserver/
    

    works just fine.

    Server certificate is valid, browsers accept it, etc. Client certificate is self signed. Just in case, server is nginx and here is relevant config fragment

    listen                         *:443 ssl;
    
    server_name                    myserver;
    
    ssl                            on;
    ssl_certificate                /etc/nginx/ssl/myserver.crt;
    ssl_certificate_key            /etc/nginx/ssl/myserver.key;
    ssl_dhparam                    /etc/nginx/ssl/myserver.dh;
    ssl_protocols                  TLSv1.1 TLSv1.2;
    ssl_ciphers                    "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers      on;
    ssl_client_certificate         /etc/nginx/ssl/ca.crt;
    ssl_verify_client              on;
    

    But the following simplest Qt5 application

    #include <qcoreapplication.h>
    #include <qfile.h>
    #include <qnetworkaccessmanager.h>
    #include <qnetworkconfiguration.h>
    #include <qnetworkproxy.h>
    #include <qnetworkreply.h>
    #include <qnetworkrequest.h>
    #include <qsslcertificate.h>
    #include <qsslconfiguration.h>
    #include <qsslkey.h>
    
    int main(int argc, char *argv[])
    {
        QCoreApplication a(argc, argv);
    
        QNetworkProxyFactory::setUseSystemConfiguration(true);
    
        QSslConfiguration sslConfiguration;
    
        QFile privateKeyFile("client.key");
        privateKeyFile.open(QIODevice::ReadOnly);
    
        QFile certificateFile("client.crt");
        certificateFile.open(QIODevice::ReadOnly);
    
        QSslKey privateKey(&privateKeyFile, QSsl::Opaque);
        QSslCertificate certificate(&certificateFile);
    
        qWarning() << QSslSocket::supportsSsl();
        qWarning() << certificate.serialNumber();
        qWarning() << certificate.subjectInfo(QSslCertificate::CommonName);
        qWarning() << certificate.expiryDate();
    
        sslConfiguration.setPrivateKey(privateKey);
        sslConfiguration.setLocalCertificate(certificate);
    
        QNetworkRequest networkRequest(QUrl("https://server/"));
    
        networkRequest.setSslConfiguration(sslConfiguration);
    
        QNetworkAccessManager networkAccessManager;
    
        QNetworkReply* networkReply = networkAccessManager.get(networkRequest);
    
        QEventLoop loop;
    
        QObject::connect(&networkAccessManager, &QNetworkAccessManager::finished, &loop, &QEventLoop::quit);
    
        loop.exec();
    
        qWarning() << networkReply->error();
        qWarning() << networkReply->errorString();
    
        delete networkReply;
    
        return a.exec();
    }
    

    fails with the following console output on Windows

    QSslSocket: cannot resolve TLSv1_1_client_method
    QSslSocket: cannot resolve TLSv1_2_client_method
    QSslSocket: cannot resolve TLSv1_1_server_method
    QSslSocket: cannot resolve TLSv1_2_server_method
    QSslSocket: cannot resolve SSL_select_next_proto
    QSslSocket: cannot resolve SSL_CTX_set_next_proto_select_cb
    QSslSocket: cannot resolve SSL_get0_next_proto_negotiated
    true
    "01"
    ("AA-00-00-00")
    QDateTime("2035-06-21 21:41:13.000 UTC Qt::UTC")
    99
    "Unable to init SSL Context: "
    

    and the following console output on Linux

    true
    "01"
    ("AA-00-00-00")
    QDateTime("2035-06-21 21:41:13.000 UTC Qt::UTC")
    99
    "Unable to init SSL Context: "
    

    If I remove "networkRequest.setSslConfiguration(sslConfiguration);" I just get 400 error from server stating I need to send client certificate.

    Adding "sslConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone);" changes nothing.

    I will be happy to get any advice what can be cause of Qt5 code failure.

    1 Reply Last reply
    0
    • S Offline
      S Offline
      SGaist
      Lifetime Qt Champion
      wrote on 25 Jun 2015, 07:14 last edited by
      #2

      Hi and welcome to devnet,

      Just to rule out the obvious: do you have client.key and client.crt in the same folder as your application ?

      Interested in AI ? www.idiap.ch
      Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct

      1 Reply Last reply
      0
      • A Offline
        A Offline
        adontz
        wrote on 25 Jun 2015, 08:28 last edited by
        #3

        Yes,

        I'm printing subject and serial to console to make sure valid and proper certificate was used.

        1 Reply Last reply
        0
        • S Offline
          S Offline
          SGaist
          Lifetime Qt Champion
          wrote on 25 Jun 2015, 22:10 last edited by
          #4

          You should also check the sslErrors signal

          Interested in AI ? www.idiap.ch
          Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct

          1 Reply Last reply
          0

          1/4

          25 Jun 2015, 01:25

          • Login

          • Login or register to search.
          1 out of 4
          • First post
            1/4
            Last post
          0
          • Categories
          • Recent
          • Tags
          • Popular
          • Users
          • Groups
          • Search
          • Get Qt Extensions
          • Unsolved