QtCoap: Missing SSLCipher TLS_PSK_WITH_AES_128_CCM_8

Marc_Van_Daele · wrote on 7 Jun 2019, 20:03

I'm trying to run quicksecureclient example from the QtCoap package in 5.13 and connect to an existing Coap server.
Running coap-client -u <identity> -k <psk> coaps://192.168.1.3:5684/<url> works fine (where coap-client comes from libcoap.net)
However, the quicksecureclient doesn't seem to work and fails at the handshake. After comparing the wireshark logs, I noticed that TLS_PSK_WITH_AES_128_CCM_8 is not in the list of Ciphers returned by configuration.supportedCiphers().
Any suggestions on how to add this?
I'm on Ubuntu 16.04, having OpenSSL version 1.0.2g

Thanks in advance,

Marc

Marc_Van_Daele · wrote on 8 Jun 2019, 10:16

In the meantime, I've upgraded to Openssl 1.1.1c which does support TLS_PSK_WITH_AES_128_CCM_8 . However, configuration.supportedCiphers() does not seem to return this cipher.
Where does Qt gets its list of supported ciphers and how can I add one?

Marc_Van_Daele · wrote on 8 Jun 2019, 17:06

And I'm one step further: QSslSocket::sslLibraryBuildVersionString() still returns "OpenSSL 1.0.2k-fips 26 Jan 2017".
So somehow I should get Qt to load the 1.1 version. This should be possible according to the docs "By default, an SSL-enabled Qt library dynamically loads any installed OpenSSL library at run-time"
Question now is how to control the dynamic loading and to get Qt to load the OpenSSL 1.1 first

Christian Ehrlicher · 8 Jun 2019, 19:17

What Qt version do you use? Support for OpenSsl 1.1 was added in 5.12 afaik.

Marc_Van_Daele · wrote on 8 Jun 2019, 18:29

I'm using Qt 5.13.0-rc. I have both OpenSSL 1.0.2 and OpenSSL 1.1.1 on my Ubuntu 16.04 system. Somehow, I have to point Qt to the correct version but I've played ao with LD_LIBRARY_PATH but with no success.

Christian Ehrlicher · wrote on 8 Jun 2019, 19:10

Ok, now the question is if your Qt is compiled with openssl 1.1 support.

SGaist · replied to Christian Ehrlicher on 8 Jun 2019, 19:17

@Christian-Ehrlicher said in QtCoap: Missing SSLCipher TLS_PSK_WITH_AES_128_CCM_8:

What Qt version do you use? Support for OpenSsl 1.1 was added in 5.12 afaik.

Nope, it was added in 5.10. The pre-built package were still built using 1.0 to avoid breaking the work of people relying on that version of OpenSSL.

@Marc_Van_Daele you can't just switch between one and the other, the API/ABI has been broken between OpenSSL 1.0 and 1.1.

You'll have to build your Qt version by hand to make it use OpenSSL 1.1

Marc_Van_Daele · wrote on 8 Jun 2019, 19:44

Thanks for the clarification!

The docs are a bit misleading when they state "By default, an SSL-enabled Qt library dynamically loads any installed OpenSSL library at run-time"

I've created https://bugreports.qt.io/browse/QTBUG-76290 since I think there is a mismatch between the default packaging in 5.13 (uses 1.0) and the requirements for the (new) QtCoap (needs 1.1)