[Solved] Https page works in Windows but not in Linux

AcerExtensa

On LFS 64-bit it is:
@OpenSSL 1.0.0c 2 Dec 2010@

On ubuntu 12.04 32-bit:
@OpenSSL 1.0.1c 10 May 2012@

But like I said - I have compiled Qt by myself... That can be the reason too...

P. Most

I've compiled Qt5 myself and it didn't work, so I don't think that is the problem. I'm not (yet) an SSL expert and I hoped I can avoid becoming one ;-) , but my current guess is that is has something to do with the certificates installed on my machine.

The biggest problem is that I'm not getting any error message what so ever, which would give me a hint to what is wrong.

Regards Peter

AcerExtensa

So, your onSslErrors function didn't even get fired?
Can you try to download website certificate and test it with "QSslCertificate":http://qt-project.org/doc/qt-4.8/qsslcertificate.html ?
And maybe playing with "QSslConfiguration":http://qt-project.org/doc/qt-4.8/qsslconfiguration.html can help you...

P. Most

[quote]So, your onSslErrors function didn't even get fired?[/quote]

No, not in Linux. But on windows (as i wrote ;-) ) I did get ‘The certificate has expired’.

[quote]Can you try to download website certificate and test it with "QSslCertificate":http://qt-project.org/doc/qt-4.8/qsslcertificate.html ? [/quote]

Well, that's why I said I'm not an SSL expert ;-) Could you give me some pointers on how to do this and what I have to look for?

Thank you for your help.

Regards Peter

AcerExtensa

Ok, i have started fresh Ubuntu 12.04 under VirutalBox and can see the same problem.
The problem is in the openssl. You can test it by yourself.(in console)
@
openssl s_client -showcerts -connect www.vertriebspartner.de.o2.com:443
@

It will stack right after connection is established. SSL certificate from website uses TLSv1 , no idea why original openssl from Ubuntu can't just switch right to TLSv1 protocol....

Using following option works just fine:
@openssl s_client -showcerts -tls1 -connect www.vertriebspartner.de.o2.com:443@

So, try to set following ssl configuration for QNetworkAccessManager of your WebPage:

@QSslConfiguration config = sslSocket.sslConfiguration();
config.setProtocol(QSsl::TlsV1);@

P. Most

OK, so I modified main() like this:

@
int main(int argc, char *argv[])
{
QApplication application(argc, argv);

Q_ASSERT( QSslSocket::supportsSsl() );

QSslConfiguration sslConfig = QSslConfiguration::defaultConfiguration();
sslConfig.setProtocol( QSsl::TlsV1 );
QSslConfiguration::setDefaultConfiguration( sslConfig );
Q_ASSERT(QSslConfiguration::defaultConfiguration().protocol() == QSsl::TlsV1);

MainWindow w;
w.show();

return application.exec();
}
@

which I hope is correct because I couldn't figure out how I get the 'sslSocket' from the QNetworkAccessManager. But it didn't change anything :-(
One think I noted though was when I ran one of the openssl commands you gave me, I get:
'Verify return code: 20 (unable to get local issuer certificate)'
and then it just hangs.

AcerExtensa

It is known BUG in Ubuntu, where is a lot BUGs around this problem with openssl. For example: "Bug #965371":https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371

I have tested it too with QSslConfiguration::setDefaultConfiguration and with QNetworkAccessManager(subclassing QNAM and overriding createRequest function), it just doesn't work...

Looks like Qt BUG, because sslConfig.setProtocol( QSsl::TlsV1 ); should work, and work in openssl client and in Python using openssl too.

Maybe you can try to rebuild openssl for your Ubuntu...

P. Most

[quote]Maybe you can try to rebuild openssl for your Ubuntu... [/quote]

I will try that and update this thread with the result.

Thank you for your time and effort!

Regards Peter

P. Most

So I build the OpenSSL version 1.0.1c and made sure the newly build shared libraries are picked up from my test application:
@
lsof -p 9052 | grep ssl
WebViewBr 9052 peter mem REG 8,1 470813 9569610 /usr/local/ssl/lib/libssl.so.1.0.0
WebViewBr 9052 peter mem REG 8,1 2194319 9569606 /usr/local/ssl/lib/libcrypto.so.1.0.0
@
but nothing changed. To be honest, I didn't think it could be an openssl bug because if it were then the questions remains why are Chrome and rekonq working?

So the only option which remains is to wade through the rekonq and KDE Network source and try to find out what it does different :-(

If anybody has another idea or hint, please let me know.

Regards Peter

P. Most

Finally I got it to work! :-) I don't quite understand it completely yet, but I do understand that openssl on 12.04 seems to be really messy after all the bug reports I've read. But anyway, I simply had to replace:

@
sslConfig.setProtocol( QSsl::TlsV1 );
@

with

@
sslConfig.setProtocol( QSsl::SslV3 );
@

then at least for this specific site it works and for now this is good enough for me.

Thanks again AcerExtensa!

Regards Peter