Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Get Qt Extensions
  • Unsolved
Collapse
Brand Logo
  1. Home
  2. Qt Development
  3. General and Desktop
  4. QSslSocket will only pass ssl handshake when peerverifyHost is set
Forum Update on Monday, May 27th 2025

QSslSocket will only pass ssl handshake when peerverifyHost is set

Scheduled Pinned Locked Moved Unsolved General and Desktop
1 Posts 1 Posters 545 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P Offline
    P Offline
    pjorourke
    wrote on last edited by
    #1

    I am new to ssl / networking and want to utilize mutal ssl ( client verifies server and server verifies peer) I found a white paper (http://www.infidigm.net/articles/qsslsocket_for_ssl_beginners/) online that gave me some guidance for setting up my certs and keys. Now this paper utilizes a local host ip address as the clients cert file. I want to switch this to a register domain name (scp.radiant.io). This FQDN is local to my ubuntu os for testing purposes

    1. updated my localhost to have a domianname (scp.radiant.io). by modifying this file sudo nano /etc/hosts/ to say 127.0.0.1 scp.radiant.io localhost

    2. Next I create certificate and private keys for both client and server
      a. Steps for server side and client side
      openssl req -out server_ca.pem -new -x509 -nodes \ -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=$ORG_UNIT/CN=server/emailAddress=radiant.$EMAIL"
      mv privkey.pem server_privatekey.pem
      touch server_index.txt
      echo "00" >> server_index.txt
      openssl genrsa -out server_local.key 1024
      openssl req -key ${NAME}_local.key -new -out server_local.req -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=$ORG_UNIT/CN=scp.radiant.io/emailAddress=$EMAIL"
      openssl x509 -req -in ${NAME}_local.req -CA ${NAME}_ca.pem -CAkey server_privatekey.pem -CAserial server_index.txt -out server_local.pem
      b. this gernerates a CaCerts (server_ca.pem and client_ca.pem)
      c. this gernerates a Local Cert files (server_local.pem and client_local.pem).. THIS IS WHERE I SET FQDN to scp.radiant.io
      d. this generate a LocalKey (server_local.key and client_local.key)

    3. I use the gererated cert files for setting up the ssl configuration on the QSslSocket for both sides like so

         //client socket setup
     config.setPrivateKey("server_local.key");
     config.setLocalCertificate("server_local.pem");
     config.addCaCertificate("client_ca.pem");
     config.setPeerVerifyMode("QSslSocket::VerifyPeer");
     sslSocket->setSslConfiguration(config); 
     sslSocket->connectToHostEncrypted("scp.radiant.io",1200);

    // server socket setup
     config.setPrivateKey("client_local.key");
     config.setLocalCertificate("client_local.pem");
     config.addCaCertificate("server_ca.pem");
     config.setPeerVerifyMode("QSslSocket::VerifyPeer");
     sslSocket->setSslConfiguration(config); 
     sslSocket->startServerEncryption()

    4. When running this code i get the following error in my ssl errors. "The host name did not match any of the valid hosts for this certificate

    5. Now if I change the client socket to use this when connecting sslSocket->connectToHostEncrypted("scp.radiant.io",1200,"scp.radiant.io"); it will work.

    I dont understand why I have to set the peerVerifyHost argument when connecting encrypted. I would like use the same certificates for my WebSockets implementation for this as well but the QWebSocket class does not allow you to set the peerverifyHost when connecting. So I must be doing something wrong at the cert level or the os level for my FQDN. any networking and ssl help would be helpful

    1 Reply Last reply
    0

    • Login
    • Login or register to search.
    • First post
      Last post
    0
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Get Qt Extensions
    • Unsolved