Qt4.6.3 on eLinux and SSL support

ThatDude

Now I see you posted error messages...

I guess your embedded Linux box probably doesn't have general certificate store - If that is the case you'll have to add/import full cert. chain

see the python solution here

http://tiku.io/questions/1782171/qt-ssl-error-on-hotmail-com-the-issuer-certificate-of-a-locally-looked-up-certi

it might help to force using SSLv3 for failing pages too

If you have ROOT CA authority on your embedded system then you can check the answer here
http://stackoverflow.com/questions/3683826/qnetworkrequest-and-default-ssl-configuration
sometimes something as simple as this helps
setSslConfiguration(QSslConfiguration::defaultConfiguration());
or if you don't have root CA well then you have to add certs one by one

McLion

Thanks a lot. I'll read through your suggestions and post back the results.

McLion

You're right. I'm missing certs in my eLinux.

Tried to adding certs and I stumbled over this:
@QSslSocket::addDefaultCaCertificates("/opt/cert/testcert.pem")@
works and the page loads perfectly.

When I try to do soemthing like this to have it load all certs that I place into a folder:
@QSslSocket::addDefaultCaCertificates("/opt/cert/.", QSsl::Pem, QRegExp::Wildcard)@
it does not load any and returns an error.

What is wrong with my command?

SGaist

Hi,

Maybe a silly question but are you sure you only have pem files in that folder ?

McLion

There is currently only the one testcert.pem in this folder and no other files.

McLion

No success, tried any option possible. Though it's documented it seems not to work for multiple files in a folder. I goggled this and could not find anybody that succeeded in trying this. This would be very useful because certs to be used could be changed by a mapped folder without any need for a change of the software.

I found a pem cert-bundle created from the Mozzilla bundle certdata.txt and I think I will use this. If I get that correct this will give me most of the rootCA in one file, which should do it. If I need another cert added I will need to modify the pem bundle, which I have no clue on how to do that as of now.

The other way would have been more straight-forward.
Thanks anyway

McLion

Additional question:
In my SSL error handler I had
reply->ignoreSslErrors();
for debugging purpose.
If I don't want to ignore anymore, do I need to return something else with reply?

McLion

Nobody ever used SSL and did not simply ignore all errors ?!?

SGaist

Which version of OpenSSL are you using ?

As for modifying the bundle, IIRC you can add your information at the bottom of it

McLion

I am currently using openSSL 1.0.1c. I know, thats rather old and I'm thinking of updating it.
The CA-bundle I use is based on Mozilla's certdata.txt from Dec. 2014, converted to PEM format and it has all the root CA certificates I currently need. You're right, new certificates can simply be added or old ones replaced in the CA-bundle in PEM format.
As for the SslErrorHandler in Qt: What do I use to replace reply->ignoreSslErrors() in my handler to satisfy the reply for SSL? I could not find any documentation on that.