Unsolved QSslSocket will only pass ssl handshake when peerverifyHost is set
-
I am new to ssl / networking and want to utilize mutal ssl ( client verifies server and server verifies peer) I found a white paper (http://www.infidigm.net/articles/qsslsocket_for_ssl_beginners/) online that gave me some guidance for setting up my certs and keys. Now this paper utilizes a local host ip address as the clients cert file. I want to switch this to a register domain name (scp.radiant.io). This FQDN is local to my ubuntu os for testing purposes
-
updated my localhost to have a domianname (scp.radiant.io). by modifying this file
sudo nano /etc/hosts/
to say127.0.0.1 scp.radiant.io localhost
-
Next I create certificate and private keys for both client and server
a. Steps for server side and client side
openssl req -out server_ca.pem -new -x509 -nodes \ -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=$ORG_UNIT/CN=server/emailAddress=radiant.$EMAIL"
mv privkey.pem server_privatekey.pem
touch server_index.txt
echo "00" >> server_index.txt
openssl genrsa -out server_local.key 1024
openssl req -key ${NAME}_local.key -new -out server_local.req -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=$ORG_UNIT/CN=scp.radiant.io/emailAddress=$EMAIL"
openssl x509 -req -in ${NAME}_local.req -CA ${NAME}_ca.pem -CAkey server_privatekey.pem -CAserial server_index.txt -out server_local.pem
b. this gernerates a CaCerts (server_ca.pem and client_ca.pem)
c. this gernerates a Local Cert files (server_local.pem and client_local.pem).. THIS IS WHERE I SET FQDN to scp.radiant.io
d. this generate a LocalKey (server_local.key and client_local.key) -
I use the gererated cert files for setting up the ssl configuration on the QSslSocket for both sides like so
//client socket setup config.setPrivateKey("server_local.key"); config.setLocalCertificate("server_local.pem"); config.addCaCertificate("client_ca.pem"); config.setPeerVerifyMode("QSslSocket::VerifyPeer"); sslSocket->setSslConfiguration(config); sslSocket->connectToHostEncrypted("scp.radiant.io",1200); // server socket setup config.setPrivateKey("client_local.key"); config.setLocalCertificate("client_local.pem"); config.addCaCertificate("server_ca.pem"); config.setPeerVerifyMode("QSslSocket::VerifyPeer"); sslSocket->setSslConfiguration(config); sslSocket->startServerEncryption()
-
When running this code i get the following error in my ssl errors.
"The host name did not match any of the valid hosts for this certificate
-
Now if I change the client socket to use this when connecting
sslSocket->connectToHostEncrypted("scp.radiant.io",1200,"scp.radiant.io");
it will work.
I dont understand why I have to set the peerVerifyHost argument when connecting encrypted. I would like use the same certificates for my WebSockets implementation for this as well but the QWebSocket class does not allow you to set the peerverifyHost when connecting. So I must be doing something wrong at the cert level or the os level for my FQDN. any networking and ssl help would be helpful
-