QSslSocket handshake fails for TlsV1_2
-
Dear all,
I try to send e-mails via smtp using TLS v1.2 (because the mail server requires that). I stumbeled over a nice example and tried to modify it to TLS 1.2:... socket = new QSslSocket(this); socket->setProtocol(QSsl::TlsV1_2); connect(socket, SIGNAL(encrypted()), this, SLOT(socketEncrypted())); connect(socket, SIGNAL(sslErrors(const QList<QSslError> &)), this, SLOT(sslErrorsSl(const QList<QSslError> &))); connect(socket, SIGNAL(readyRead()), this, SLOT(readyRead())); connect(socket, SIGNAL(connected()), this, SLOT(connected() ) ); connect(socket, SIGNAL(error(QAbstractSocket::SocketError)), this,SLOT(errorReceived(QAbstractSocket::SocketError))); connect(socket, SIGNAL(stateChanged(QAbstractSocket::SocketState)), this, SLOT(stateChanged(QAbstractSocket::SocketState))); connect(socket, SIGNAL(disconnected()), this,SLOT(disconnected())); ...Connection itself works, but the handshake fails with
Error during SSL handshake: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
It makes no difference if I use connectToHostEncrypted or if I connect unencrypted first and then use startClientEncryption - handshake fails with the same error.
I guess this error message comes not from Qt-code but from some underlying implementation but I am confused that it complains about SSLv3 although I specified TLSv1.2. Can anyone give me hint what's going wrong here?Edit: I verified with
openssl s_clientthat the transaction succeeds in general, so all I want to do is replicate this inside Qt. Here is the openssl log:Pi_at_home/smtp$ openssl s_client -host smtp.world4you.com -port 587 -no_ssl3 -no_tls1 -no_tls1_1 -starttls smtp -crlf CONNECTED(00000003) depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA verify return:1 depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2 verify return:1 depth=0 OU = Domain Control Validated, CN = *.world4you.com verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=*.world4you.com i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIHUjCCBjqgAwIBAgIMKUlNZaWQ/0J265CBMA0GCSqGSIb3DQEBCwUAMEwxCzAJ BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB bHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTE3MDQxMDA4MzExN1oXDTIwMDQx MDA4MzExN1owPTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRgw FgYDVQQDDA8qLndvcmxkNHlvdS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDbeR8nSLbJEwO2lDns55LHY6uZ7jJ+3g8l01xQpuHFpLkNyew85ZSN Ha36EcSTYN86tmqsbWLb07dcsT4jO1T9nJJcsJVY6tj/FjiWDiAmYsJAhDpVJNbG Rj6143oPtv+7JsPrDt06/4GR/OytcYIAPZeDLL+UOco1yrJVapdLue3eMVtLNyvD MUll/Py6tY5xD3LX7GYu8QXgwXpIPEoS+nLnrvWGTrrHQxZlgbv0DIV5Px0RBy7Z GayWky6L3zK4XPUBqEosbvHcCfJJbFMC/hasaxNLc8v5ANYtbCdVo3tlxXYSSTHl VDuJgTpFCdLMKEPzfWHEGUMK/1xwFgVdAgMBAAGjggRBMIIEPTAOBgNVHQ8BAf8E BAMCBaAwgYkGCCsGAQUFBwEBBH0wezBCBggrBgEFBQcwAoY2aHR0cDovL3NlY3Vy ZTIuYWxwaGFzc2wuY29tL2NhY2VydC9nc2FscGhhc2hhMmcycjEuY3J0MDUGCCsG AQUFBzABhilodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3NhbHBoYXNoYTJn MjBXBgNVHSAEUDBOMEIGCisGAQQBoDIBCgowNDAyBggrBgEFBQcCARYmaHR0cHM6 Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMAkGA1Ud EwQCMAAwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL2NybDIuYWxwaGFzc2wuY29t L2dzL2dzYWxwaGFzaGEyZzIuY3JsMCkGA1UdEQQiMCCCDyoud29ybGQ0eW91LmNv bYINd29ybGQ0eW91LmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw HQYDVR0OBBYEFKIZxH9TsIMa5qQGZAPhKngbApbsMB8GA1UdIwQYMBaAFPXN1TwI UPlqTzq3l9pWg+Zp0mj3MIICbwYKKwYBBAHWeQIEAgSCAl8EggJbAlkAdwDd6x0r eg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAVtW/RapAAAEAwBIMEYCIQDU 3N3XzYnVREcEvW6lNyK6AlGSbiDCM+zvAKMR17JYfAIhAN9PzYas1XU6oW+slh7t 8PduMqiZjJAD9ENlkasRw0b9AHYAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SY VdaJ0N0AAAFbVv0W/QAABAMARzBFAiEAgac9ahHXUOYPJCfqPGSRspsHOz8Nh1fg PILA/TOIWhoCIHS1NZmsg3swvqhq/hewAEZP0xfEOguTS/160d8qhG+rAHUApLkJ kLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFbVv0ZtwAABAMARjBEAiAx 2bJ48akD9TKDtT1igobkzkyxsFmJT9HDkOciGnVx8AIgNsCADYnu/q8E2FFrcNIF 37KuYFXuv72bd864c9vVJjsAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2 jh7RhQAAAVtW/RpJAAAEAwBHMEUCIBP3/9GvXudvbzupkv0QB8jksf8s1RAnzBPs zcjcWI80AiEAnZ4PSMG7ElD7ZWW+G/SwQLky0naFIHm1gEQ4xzLkkhUAdwDuS723 dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAVtW/RyDAAAEAwBIMEYCIQCW N35yevfZeW3HmWo9AJqqY9ctNU4M1LeXDuTNHgdUhgIhAPnPugotcvA6af8DU5be sduG9XUuMXQorvz5FRE2iJ9tMA0GCSqGSIb3DQEBCwUAA4IBAQAzo+bJIPt7p3oO YmSJ+3sPlwyftJ5U2F3tKPSOsnO99s5uj6XH19wKWCLsVHLm8LeCw272l185rQge HWn9SY1oasDaiUIpKDQnw/Nm7i9KiRCKKYUGPcQisClwgycYq12b7robuUl67JtC h/ArUdtkhUkapoXtwDmoAcFWlVJiauBSSfpR+C6B3YaBASMoKd0T1Y81GEgmq5lc F7gyeDAprTO2Ob3X9jzU40ap+95SHhlP4/V1EEDMnWycEp064Sv0U2ojzPgFsl3I QbyTssP22CYiSoImsQJ8/Z7MN3YaSt8w88D4ODogLDyXRHua73JYMRw+DuN4yzhH QVhF83oJ -----END CERTIFICATE----- subject=/OU=Domain Control Validated/CN=*.world4you.com issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: DH, 2048 bits --- SSL handshake has read 4600 bytes and written 658 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: 8E6BC6DA7E940F4C12B688289D7E349986DA91DB964517F2C86D63100E5D224A Session-ID-ctx: Master-Key: A22734F78D24F8F49BC3CB8702A9CA3C3CE3D5D6A0BB91A6D5FA65FBD25B96B29B396FDF32B1E6D0492B589949524298 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 200 (seconds) TLS session ticket: 0000 - 49 38 59 8e 2f fe 97 e8-d7 1b 5f 23 a4 41 1c 2e I8Y./....._#.A.. 0010 - 28 91 69 0b 9b d4 ba 08-75 33 9b b9 5b 07 61 a6 (.i.....u3..[.a. 0020 - 22 d0 f1 f9 d6 ea d4 d2-ca 68 33 e2 b5 78 09 1a "........h3..x.. 0030 - 95 8a 0d 65 6e 58 2f 16-8c 18 4b 95 fc 97 08 e2 ...enX/...K..... 0040 - 73 21 f2 38 d7 a3 fe 31-ec f3 af 60 8a c5 fc ee s!.8...1...`.... 0050 - 79 0c 45 1f ce fd 04 d7-13 86 d3 66 db b7 64 16 y.E........f..d. 0060 - f9 d9 cf 81 9f 96 a1 e3-24 e0 be 7b 23 33 22 01 ........$..{#3". 0070 - f4 64 0f b4 67 8d 6b 0a-c7 65 26 27 ca 8f 03 a9 .d..g.k..e&'.... 0080 - 0a 93 fb 1d 09 30 e6 d9-f1 5a 33 58 e5 be 0b 8a .....0...Z3X.... 0090 - ad 79 d6 46 36 ee b2 cd-65 8a 51 f2 7b da 21 58 .y.F6...e.Q.{.!X Start Time: 1499604732 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 HELP EHLO mydomain.at 250-mx11lb.world4you.com Hello mydomain.at [91.114.187.196] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250 HELP auth plain <base64 encoded credentials were here> 235 Authentication succeeded mail from: user@mydomain.at 250 OK rcpt to: someoneelse@gmx.at 250 Accepted data 354 Enter message, ending with "." on a line by itself the lazy fox jumps over the dog . 250 OK id=1dUBjP-0004tI-Rj quit 221 mx11lb.world4you.com closing connection closedHow should I set up QSslSocket to do exactely the same thing as s_client?
-
Hi,
Which version of OpenSSL are you using ?
-
$ openssl version OpenSSL 1.0.2g 1 Mar 2016This seems to be the latest version released with Ubuntu 16.04 since an
apt-get install openssldidn't change anything. Do you know if parts of SSL are statically linked into the Qt libraries (and may have thus an older version)?
-
No nothing like that. By default, Qt provides a build that dlopens OpenSSL because of international restrictions regarding cryptographic modules.
@SGaist Thanks for your efforts. My wild guess is that client and server fail to agree on a cipher which is fine for both. I'll try to clarify without Qt first. Maybe openssl s_client can help.
Just out of curiosity: why doesenum QSsl::SslProtocolnot list numeric values for all of its members? Most members have a question mark in the value column. Never saw this before in Qt. -
After a quick look at Qt's sources, the numbering after QSsl::TlsV1_0 depends on a define so it might be related.
