websocket ssl certificate CA root

nameAlreadyInUse · wrote on 23 Jan 2016, 01:05

I'm trying to use the sslechoServer/Client to work in real world.
I try to provide it my key and certificate (on server side)
As i get an error about root CA verification, I also tried to add my positive ssl bundle file to the caCertificate of the QWebsocket's ssl config (on client side, then on both side) without success.
<p>The files I try to use are the ones I provided to my apache server for my website<br />
(the 3 files below from my apache.conf)
SSLCertificateFile /etc/apache2/myDomain_net.crt
SSLCertificateKeyFile /etc/apache2/myDomain.key
SSLCACertificateFile /etc/apache2/PositiveSSL.ca-bundle
(my website is workin without trouble in https mode)

here is the ssl error i get :
The issuer certificate of a locally looked up certificate could not be found

in the original example they just ignore ssl errors and they say in production mode you should not ignore but resolve 'em by adding certif to CA root. Problem is I got no idea how to do that...

If anyone has a clue

PS :
I tried the code below on client side

    QList<QSslCertificate> caCert = sslConfig.caCertificates();
    caCert.append(QSslCertificate(bytes,QSsl::Pem));
    sslConfig.setCaCertificates(caCert);

without success then I tried this (always on client)


sslConfig.setLocalCertificate(QSslCertificate(bytes,QSsl::Pem));

which as expected doesn't work and just makes the m_websocket.open to freeze (doesn't end up as error or close... but doesn't connect either)

SGaist · wrote on 23 Jan 2016, 22:54

Hi,

Who generated your certificate ?

nameAlreadyInUse · wrote on 24 Jan 2016, 06:08

Hi,
Thanks for reply the certif was generated by COMODO and it's positive ssl.

SGaist · wrote on 24 Jan 2016, 21:27

Ok, then can you see if the suggestion here helps ?

nameAlreadyInUse · wrote on 26 Jan 2016, 02:55

I'm not sure I get it correctly (already been throught the linked post btw). One of them is speakin of recompiling Qt with a different ssl version, sounds like killin a mosquito with a canonball (Also it's an old post and maybe I'm wrong but I believe that Qt is ssl independant now because of license issues so we use dll and recompilin Qt shouldn't work). The other one speaks about adding the CA certificate with setCACertif method which I already did without success.

Let's just forget about the certificate of my website :
I just want to initiate a secured connection between my server and my client with wss protocol.
Should not be that complicated. I'm surprised not to find a tutorial with a detailed howto... I mean even with a self-signed certificate.

Maybe you know a link for such a howto ?

Oh and somethin else i found a bug long story short closeCode is ignored (always equal to 1000 (CloseCodeNormal)) in Qt5.3 (I described it here [https://forum.qt.io/topic/63189/qwebsocket-signal-disconnected-and-method-close-unrelated](link url)
and found then it was already reported there : [https://bugreports.qt.io/browse/QTBUG-42982](link url)
The bug is fixed in Qt5.5 but won't they modify Qt5.3 so it works as specified in the doc ? I ask you cause you seem to be very active in the Qt community. Thank you

SGaist · wrote on 26 Jan 2016, 21:56

Self-signed certificate are always the more complicated to manage (i.e. nobody trust them since no valid CA validated them)

Sorry, I'm don't remember of such a howto...

No, there won't be another release of Qt 5.3. The next release is 5.6.0 the first LTS of Qt 5.