QSslSocket: TLS initialization Failed

samf48

I was trying to avoid that if possible but that might be something I have to do. I'm checked the path variable on the working vanilla machine and there is no mention of OpenSSL or any sort of installation on it. What .dll or other file should I look for in the Windows System folder?

SGaist

Windows doesn't provide OpenSSL. It's your job to provide it with your application.

I guess you didn't build Qt yourself, so you should look for OpenSSL 1.0 .dlls. So it should be: ssleay32 and libeay32.

samf48

@SGaist said in QSslSocket: TLS initialization Failed:

That's what I'm trying to figure out. There is no install of OpenSSL (or either .dll you mentioned) on the machine and yet my application is establishing a secure, encrypted connection utilizing my localhost certificate. Seems like it isn't referencing OpenSSL-related files at all. Is the Qt5Network.dll handling the TLS-related tasks in my code?

I installed Qt 5.8 on my machine and use Qt Creator but did not build it from source or anything like that.

samf48

@SGaist I implemented the error reporting below :

void HttpServer::incomingConnection(qintptr socketDescriptor)
{
    socket = new QSslSocket(this);
    connect(socket, SIGNAL(error(QAbstractSocket::SocketError)), SLOT(error(QAbstractSocket::SocketError)));

    // Read RSA Key from file for SSL
    socket->setProtocol(QSsl::TlsV1_2);

    QByteArray key;
    QFile KeyFile("server.key");
    if(KeyFile.open(QIODevice::ReadOnly))
    {
        key = KeyFile.readAll();
        KeyFile.close();
    }
    else
    {
        qDebug() << KeyFile.errorString();
    }
    //set SSL Key
    QSslKey sslKey(key, QSsl::Rsa);
    socket->setPrivateKey(sslKey);

    // Load SSL certificate from file
    QByteArray cert;
    QFile CertFile("server.crt");
    if(CertFile.open(QIODevice::ReadOnly))
    {
        cert = CertFile.readAll();
        CertFile.close();
    }
    else
    {
        qDebug() << CertFile.errorString();
    }

    //set SSL Certificate
    QSslCertificate sslCert(cert);
    socket->setLocalCertificate(sslCert);

    QSslConfiguration cfg = socket->sslConfiguration();
    cfg.caCertificates();

    if (!socket->setSocketDescriptor(socketDescriptor))
    {
        qDebug() << ("! Couldn't set socket descriptor");
        delete socket;
        return;
    }

    if (isBusy)
         socket->waitForReadyRead();

    isBusy = true;

    socket->startServerEncryption();

    if (socket->isEncrypted()){
        emit socket->encrypted();
    }

    if(!socket->waitForEncrypted(3000)) {
        qDebug("Wait for encrypted!!!!");
        return;
    }

    if (socket) {
       connect(socket, SIGNAL(readyRead()), this, SLOT(doTxRx()));
       connect(socket, SIGNAL(disconnected()), socket, SLOT(deleteLater()));
       socket->waitForReadyRead();
    }
}

unfortunately I get no additional info. What I get is :

Error: TLS Initialization failed

SGaist

QSslSocket has the sslErrors signal that might give you more clues.

samf48

@SGaist That definitely clued me in to what was going on. Additionally, these two functions helped out quite a bit.

      sslSocket->sslLibraryBuildVersionString()
      sslSocket->sslLibraryVersionString()

The build library was reporting using OpenSSL version 1.0.2h, and the runtime(non-build Version) was non-existent on the machines where the SSL wasn't working. Only after I installed Git for Windows did my the runtime version show up and my program started working, this was because it installed the 1.0.2p .dll version in the PATH variable of my machine. The sslLibraryVersionString reported version 1.0.2p after that. After I got a hold of the ssleay32.dll and the libeay32.dll for version 1.0.2p and placed it alongside the .exe everything started working.

So I guess that means that whatever version of OpenSSL I have installed on my machine is what QT Creator calls when building my program? Is there a way to specify what version to build against?

SGaist

Qt Creator is innocent. And Qt as well. There's no linking against the SSL libraries by default. They are loaded dynamically.

samf48

@SGaist okay good to know. Where is sslSocket->sslLibraryBuildVersionString() pulling that version from? And any clue as to why they differ?

SGaist

That's the version of OpenSSL that was used when building Qt.

Hans Dijkema

@SGaist I seem to have the same problem. I'm currently linking against openssl 1.0.2q. Is that a problem? Also I added a library path in Qt main where it can find the ssl dlls: QCoreApplication::addLibraryPath("c:/OpenSSL-Win64/bin");

Still it reports the initialization problems with SSL:

qDebug() << QSslSocket::supportsSsl() << QSslSocket::sslLibraryBuildVersionString() << QSslSocket::sslLibraryVersionString();

gives me:

false "OpenSSL 1.0.2p 14 Aug 2018" ""

and then:

QSslSocket::connectToHostEncrypted: TLS initialization failed ssl\qsslsocket.cpp: 457

What to do?

SGaist

You should rather modify the PATH environnement variable in the Run part of the Project panel so it can be found at run time.

Crag_Hack

I have the exact same situation as Hans. Same output from the program. I did a search and looky what I found... looks like M$ put libcrypto.dll in the system32 folder and that overrides getting dlls from the program path. Could it be somebody other than MS? I have .NET Framework 1.1, Win10 Dev Kit, Visual Studio 2017 Community, Strawberry Perl, Python, OpenSSL 1.1.1.a, some MS Visual C++ Redistributables, and MS System CLR Types for SQL Server. Nobody else should have done something like that. Also there is no libssl.dll in system32. I'm using OpenSSL 1.1.1a so libcrypto.dll and libssl.dll replace libeay32.dll and ssleay32.dll.

This is a fresh install of Win10 I did about a week ago or so. I added this to the beginning of the qDebug() with dbReply being a QNetworkReply:

qDebug() << dbReply->errorString() << QSslSocket::supportsSsl() << QSslSocket::sslLibraryBuildVersionString() << QSslSocket::sslLibraryVersionString();

The total output is:

"Unknown error" false "OpenSSL 1.0.2p  14 Aug 2018" ""

How do I remedy the situation if system32 takes priority over the program path?

SGaist

First: use the same series of OpenSSL as was used to build Qt. OpenSSL 1.1 broke API and ABI compatibility with regards to the 1.0 series.

As for the rogue OpenSSL version in system32, it might very well be an application you installed or an application provided by the manufacturer of your machine. Neither are supposed to do that.

Crag_Hack

I am running the program straight from Qt Creator when all this happens. Even without the dll's present in the application build directory the program still gives the same output from the qDebug() line. I'm thinking the dll is loaded elsewhere, perhaps from the system32 directory. I did a search for the dll using Process Explorer and all that turned up was Chrome and Avast.

If you look at the search for libcrypto.dll I did it shows up in a subfolder of the C:\Windows\WinSxS directory - does this imply it's been installed by a Windows component as opposed to a program?

Also I was wrong about system32 taking the highest priority for loading dll's; see here. It says the directory from which the program is loaded takes top priority for loading dll's; however when I place the libcrypto-1_1.dll and libssl-1_1.dll in the shadow build directory or the release subdirectory of the shadow build directory the qDebug() line shows again the wrong version of OpenSSL being loaded. The only possible explanation of that behavior I could find is on the dll path search page I linked to:

If a DLL with the same module name is already loaded in memory, the system checks only for redirection and a manifest before resolving to the loaded DLL, no matter which directory it is in. The system does not search for the DLL.

Any ideas?

SGaist

Yes, as already suggested, use OpenSSL 1.0 since it's the version that was used to build the version of Qt you are using.
As already written, OpenSSL broke API and ABI compatibility between 1.1 and 1.0.
It requires a different backend that is available since 5.10 but you have to select it when building Qt.

If you want OpenSSL 1.1, you should move to Qt 5.12 as IIRC this is now the default backend.

Crag_Hack

I currently am using 5.12 which dumps the OpenSSL version mentioned before from QSslSocket::sslLibraryBuildVersionString(). Why does the Qt dynamic libraries (that's what you download to be used with Qt Creator/VS or whatever right?) only support a specific version of OpenSSL? When you use

INCLUDEPATH += "C:\Build-OpenSSL-VC-32\include"

and

LIBS += -LC:\Build-OpenSSL-VC-32\lib -llibcrypto -llibssl

why doesn't it override whatever OpenSSL was used to build Qt? After all the includes and libraries contain all the OpenSSL code right? Does Qt have to know which functions it can call within the OpenSSL libraries and therefore since API/ABI compatibility broke with 1.1 it is restricted to whatever was used to build Qt?

SGaist

By default, for international distribution reason, Qt is not linked to OpenSSL but dlopens the dll if available.

And yes, the version is restricted to what was used to build Qt as with any other dependency you may have.

Crag_Hack

Everything is working beautifully with Shining Light Productions OpenSSL 1.0.2q. Thanks for the help SGaist!

Crag_Hack

@SGaist said in QSslSocket: TLS initialization Failed:

Yes, as already suggested, use OpenSSL 1.0 since it's the version that was used to build the version of Qt you are using.
As already written, OpenSSL broke API and ABI compatibility between 1.1 and 1.0.
It requires a different backend that is available since 5.10 but you have to select it when building Qt.
If you want OpenSSL 1.1, you should move to Qt 5.12 as IIRC this is now the default backend.

When you say you have to select it when building Qt your'e referring to a static build right? Is there any way to do it for whatever version of dynamic Qt Qt Creator uses? Just curious.

SGaist

No, static or dynamic build doesn't play a role.

Qt and Qt Creator are two linked but independent projects so I'm not sure what you are asking here.