QSslSocket: TLS initialization Failed
-
Hello all, I have written an application that serves a single webpage using QTcpServer. It establishes a secure websocket first via QSslSocket using TLSV1.2. This works perfectly on my computer running Windows 7 and another computer I have tested running Windows 10. Note I am utilizing a self-signed certificate that I made using OpenSSL on Windows. However I have installed the same application on a couple other machines that are running Windows 10 (not sure if OS is totally relevant) and I receive this warning when running the app:
qt.network.ssl: QSslSocket::startServerEncryption: TLS initialization failed
So when I run on the working machines this warning isn't present. Here's the code:
... void HttpServer::incomingConnection(qintptr socketDescriptor) { socket = new QSslSocket(this); // Read RSA Key from file for SSL socket->setProtocol(QSsl::TlsV1_2); QByteArray key; QFile KeyFile("server.key"); if(KeyFile.open(QIODevice::ReadOnly)) { key = KeyFile.readAll(); KeyFile.close(); } else { qDebug() << KeyFile.errorString(); } //set SSL Key QSslKey sslKey(key, QSsl::Rsa); socket->setPrivateKey(sslKey); // Load SSL certificate from file QByteArray cert; QFile CertFile("server.crt"); if(CertFile.open(QIODevice::ReadOnly)) { cert = CertFile.readAll(); CertFile.close(); } else { qDebug() << CertFile.errorString(); } //set SSL Certificate QSslCertificate sslCert(cert); socket->setLocalCertificate(sslCert); QSslConfiguration cfg = socket->sslConfiguration(); cfg.caCertificates(); if (!socket->setSocketDescriptor(socketDescriptor)) { qDebug() << ("! Couldn't set socket descriptor"); delete socket; return; } if (isBusy) socket->waitForReadyRead(); isBusy = true; socket->startServerEncryption(); //PRODUCES TLS INITIALIZATION ERROR ON SOME MACHINES if (socket->isEncrypted()){ emit socket->encrypted(); } if(!socket->waitForEncrypted(3000)) { qDebug("Wait for encrypted!!!!"); return; } if (socket) { connect(socket, SIGNAL(readyRead()), this, SLOT(doTxRx())); connect(socket, SIGNAL(disconnected()), socket, SLOT(deleteLater())); socket->waitForReadyRead(); } } ...
Anyone else have this error or know what I can do to troubleshoot? I've tried different browser's and I just get a timeout error after the handshake never completes. I have the code setup to open a port on localhost:8090. My self-signed cert is for localhost and I browse to the page by going to https://localhost:8090 The setup code is here:
#include <QDesktopServices> #include <QUrl> #include <QStandardPaths> #include <QCoreApplication> #include <QHostAddress> #include <QSslSocket> #include <QThread> //#include "SslServer.h" #define MAX_RECORDS 1000 const QChar degreeChar(0260); const QString htmlGreen("#80F936"); const QString htmlAmber("#F9C436"); const QString htmlRed("#FF3535"); const QString styleBlue("#2859B6"); HttpServer::HttpServer(QObject *parent) : QTcpServer(parent) { tcpServer = new QTcpServer(this); weather = new Weather(); checkFolders(); if (!tcpServer->listen(QHostAddress::Any, this->port)) { qDebug() << "Warning: Web server could not start on port " << this->port; } else { qDebug() << "Success: Web server is waiting for a connection on port " << this->port; } connect(tcpServer, SIGNAL(newConnection()), this, SLOT(newConnectionRecognized())); int theIndex = 0; foreach (const QNetworkInterface &netInterface, QNetworkInterface::allInterfaces()) { QNetworkInterface::InterfaceFlags flags = netInterface.flags(); if( (flags & QNetworkInterface::IsRunning) && !(flags & QNetworkInterface::IsLoopBack)){ foreach (const QNetworkAddressEntry &address, netInterface.addressEntries()) { if(address.ip().protocol() == QAbstractSocket::IPv4Protocol) { if (theIndex == 0 || theIndex > netInterface.index()) { myIp = address.ip().toString(); myIp.append(QString(":%1").arg(port)); theIndex = netInterface.index(); } } } } } setLogStr("Server IP address: " + myIp); qDebug() << "Server IP address: " << myIp; }
-
@SGaist Not silly at all, I didn't deploy OpenSSL at all with my application. The attached pic shows the output after I run windeployqt.exe. On the vanilla Windows 10 machine all I have to do is double-click on WebServer.exe and it runs with no issue. I did the same on a different Windows 10 machine and it doesn't work and has the aforementioned TLS Initialization error.
I will look into implementing the sslErrors signal to get some additional feedback from my application and report back.
-
Then you should deploy OpenSSL along with your application.
If it's working on some Windows machine without them, it means that somewhere in one of the folder listed in the
PATH
environment variable, you can find them. Some might even have them installed in Windows system folders which is a bad thing to do. -
I was trying to avoid that if possible but that might be something I have to do. I'm checked the path variable on the working vanilla machine and there is no mention of OpenSSL or any sort of installation on it. What .dll or other file should I look for in the Windows System folder?
-
Windows doesn't provide OpenSSL. It's your job to provide it with your application.
I guess you didn't build Qt yourself, so you should look for OpenSSL 1.0 .dlls. So it should be:
ssleay32
andlibeay32
. -
@SGaist said in QSslSocket: TLS initialization Failed:
That's what I'm trying to figure out. There is no install of OpenSSL (or either .dll you mentioned) on the machine and yet my application is establishing a secure, encrypted connection utilizing my localhost certificate. Seems like it isn't referencing OpenSSL-related files at all. Is the Qt5Network.dll handling the TLS-related tasks in my code?
I installed Qt 5.8 on my machine and use Qt Creator but did not build it from source or anything like that.
-
@SGaist I implemented the error reporting below :
void HttpServer::incomingConnection(qintptr socketDescriptor) { socket = new QSslSocket(this); connect(socket, SIGNAL(error(QAbstractSocket::SocketError)), SLOT(error(QAbstractSocket::SocketError))); // Read RSA Key from file for SSL socket->setProtocol(QSsl::TlsV1_2); QByteArray key; QFile KeyFile("server.key"); if(KeyFile.open(QIODevice::ReadOnly)) { key = KeyFile.readAll(); KeyFile.close(); } else { qDebug() << KeyFile.errorString(); } //set SSL Key QSslKey sslKey(key, QSsl::Rsa); socket->setPrivateKey(sslKey); // Load SSL certificate from file QByteArray cert; QFile CertFile("server.crt"); if(CertFile.open(QIODevice::ReadOnly)) { cert = CertFile.readAll(); CertFile.close(); } else { qDebug() << CertFile.errorString(); } //set SSL Certificate QSslCertificate sslCert(cert); socket->setLocalCertificate(sslCert); QSslConfiguration cfg = socket->sslConfiguration(); cfg.caCertificates(); if (!socket->setSocketDescriptor(socketDescriptor)) { qDebug() << ("! Couldn't set socket descriptor"); delete socket; return; } if (isBusy) socket->waitForReadyRead(); isBusy = true; socket->startServerEncryption(); if (socket->isEncrypted()){ emit socket->encrypted(); } if(!socket->waitForEncrypted(3000)) { qDebug("Wait for encrypted!!!!"); return; } if (socket) { connect(socket, SIGNAL(readyRead()), this, SLOT(doTxRx())); connect(socket, SIGNAL(disconnected()), socket, SLOT(deleteLater())); socket->waitForReadyRead(); } }
unfortunately I get no additional info. What I get is :
Error: TLS Initialization failed
-
QSslSocket
has the sslErrors signal that might give you more clues. -
@SGaist That definitely clued me in to what was going on. Additionally, these two functions helped out quite a bit.
sslSocket->sslLibraryBuildVersionString() sslSocket->sslLibraryVersionString()
The build library was reporting using OpenSSL version 1.0.2h, and the runtime(non-build Version) was non-existent on the machines where the SSL wasn't working. Only after I installed Git for Windows did my the runtime version show up and my program started working, this was because it installed the 1.0.2p .dll version in the PATH variable of my machine. The sslLibraryVersionString reported version 1.0.2p after that. After I got a hold of the ssleay32.dll and the libeay32.dll for version 1.0.2p and placed it alongside the .exe everything started working.
So I guess that means that whatever version of OpenSSL I have installed on my machine is what QT Creator calls when building my program? Is there a way to specify what version to build against?
-
Qt Creator is innocent. And Qt as well. There's no linking against the SSL libraries by default. They are loaded dynamically.
-
That's the version of OpenSSL that was used when building Qt.
-
@SGaist I seem to have the same problem. I'm currently linking against openssl 1.0.2q. Is that a problem? Also I added a library path in Qt main where it can find the ssl dlls: QCoreApplication::addLibraryPath("c:/OpenSSL-Win64/bin");
Still it reports the initialization problems with SSL:
qDebug() << QSslSocket::supportsSsl() << QSslSocket::sslLibraryBuildVersionString() << QSslSocket::sslLibraryVersionString();
gives me:
false "OpenSSL 1.0.2p 14 Aug 2018" ""
and then:
QSslSocket::connectToHostEncrypted: TLS initialization failed ssl\qsslsocket.cpp: 457
What to do?
-
You should rather modify the PATH environnement variable in the Run part of the Project panel so it can be found at run time.
-
I have the exact same situation as Hans. Same output from the program. I did a search and looky what I found... looks like M$ put libcrypto.dll in the system32 folder and that overrides getting dlls from the program path. Could it be somebody other than MS? I have .NET Framework 1.1, Win10 Dev Kit, Visual Studio 2017 Community, Strawberry Perl, Python, OpenSSL 1.1.1.a, some MS Visual C++ Redistributables, and MS System CLR Types for SQL Server. Nobody else should have done something like that. Also there is no libssl.dll in system32. I'm using OpenSSL 1.1.1a so libcrypto.dll and libssl.dll replace libeay32.dll and ssleay32.dll.
This is a fresh install of Win10 I did about a week ago or so. I added this to the beginning of the qDebug() with dbReply being a QNetworkReply:
qDebug() << dbReply->errorString() << QSslSocket::supportsSsl() << QSslSocket::sslLibraryBuildVersionString() << QSslSocket::sslLibraryVersionString();
The total output is:
"Unknown error" false "OpenSSL 1.0.2p 14 Aug 2018" ""
How do I remedy the situation if system32 takes priority over the program path?
-
First: use the same series of OpenSSL as was used to build Qt. OpenSSL 1.1 broke API and ABI compatibility with regards to the 1.0 series.
As for the rogue OpenSSL version in system32, it might very well be an application you installed or an application provided by the manufacturer of your machine. Neither are supposed to do that.
-
I am running the program straight from Qt Creator when all this happens. Even without the dll's present in the application build directory the program still gives the same output from the qDebug() line. I'm thinking the dll is loaded elsewhere, perhaps from the system32 directory. I did a search for the dll using Process Explorer and all that turned up was Chrome and Avast.
If you look at the search for libcrypto.dll I did it shows up in a subfolder of the C:\Windows\WinSxS directory - does this imply it's been installed by a Windows component as opposed to a program?
Also I was wrong about system32 taking the highest priority for loading dll's; see here. It says the directory from which the program is loaded takes top priority for loading dll's; however when I place the libcrypto-1_1.dll and libssl-1_1.dll in the shadow build directory or the release subdirectory of the shadow build directory the qDebug() line shows again the wrong version of OpenSSL being loaded. The only possible explanation of that behavior I could find is on the dll path search page I linked to:
If a DLL with the same module name is already loaded in memory, the system checks only for redirection and a manifest before resolving to the loaded DLL, no matter which directory it is in. The system does not search for the DLL.
Any ideas?
-
Yes, as already suggested, use OpenSSL 1.0 since it's the version that was used to build the version of Qt you are using.
As already written, OpenSSL broke API and ABI compatibility between 1.1 and 1.0.
It requires a different backend that is available since 5.10 but you have to select it when building Qt.If you want OpenSSL 1.1, you should move to Qt 5.12 as IIRC this is now the default backend.
-
I currently am using 5.12 which dumps the OpenSSL version mentioned before from QSslSocket::sslLibraryBuildVersionString(). Why does the Qt dynamic libraries (that's what you download to be used with Qt Creator/VS or whatever right?) only support a specific version of OpenSSL? When you use
INCLUDEPATH += "C:\Build-OpenSSL-VC-32\include"
and
LIBS += -LC:\Build-OpenSSL-VC-32\lib -llibcrypto -llibssl
why doesn't it override whatever OpenSSL was used to build Qt? After all the includes and libraries contain all the OpenSSL code right? Does Qt have to know which functions it can call within the OpenSSL libraries and therefore since API/ABI compatibility broke with 1.1 it is restricted to whatever was used to build Qt?