Important: Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct

QSslSocket will only pass ssl handshake when peerverifyHost is set



  • I am new to ssl / networking and want to utilize mutal ssl ( client verifies server and server verifies peer) I found a white paper (http://www.infidigm.net/articles/qsslsocket_for_ssl_beginners/) online that gave me some guidance for setting up my certs and keys. Now this paper utilizes a local host ip address as the clients cert file. I want to switch this to a register domain name (scp.radiant.io). This FQDN is local to my ubuntu os for testing purposes

    1. updated my localhost to have a domianname (scp.radiant.io). by modifying this file sudo nano /etc/hosts/ to say 127.0.0.1 scp.radiant.io localhost

    2. Next I create certificate and private keys for both client and server
      a. Steps for server side and client side
      openssl req -out server_ca.pem -new -x509 -nodes \ -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=$ORG_UNIT/CN=server/emailAddress=radiant.$EMAIL"
      mv privkey.pem server_privatekey.pem
      touch server_index.txt
      echo "00" >> server_index.txt
      openssl genrsa -out server_local.key 1024
      openssl req -key ${NAME}_local.key -new -out server_local.req -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=$ORG_UNIT/CN=scp.radiant.io/emailAddress=$EMAIL"
      openssl x509 -req -in ${NAME}_local.req -CA ${NAME}_ca.pem -CAkey server_privatekey.pem -CAserial server_index.txt -out server_local.pem
      b. this gernerates a CaCerts (server_ca.pem and client_ca.pem)
      c. this gernerates a Local Cert files (server_local.pem and client_local.pem).. THIS IS WHERE I SET FQDN to scp.radiant.io
      d. this generate a LocalKey (server_local.key and client_local.key)

    3. I use the gererated cert files for setting up the ssl configuration on the QSslSocket for both sides like so

         //client socket setup
           config.setPrivateKey("server_local.key");
           config.setLocalCertificate("server_local.pem");
           config.addCaCertificate("client_ca.pem");
           config.setPeerVerifyMode("QSslSocket::VerifyPeer");
           sslSocket->setSslConfiguration(config); 
           sslSocket->connectToHostEncrypted("scp.radiant.io",1200);
      
          // server socket setup
           config.setPrivateKey("client_local.key");
           config.setLocalCertificate("client_local.pem");
           config.addCaCertificate("server_ca.pem");
           config.setPeerVerifyMode("QSslSocket::VerifyPeer");
           sslSocket->setSslConfiguration(config); 
           sslSocket->startServerEncryption()
      
    4. When running this code i get the following error in my ssl errors. "The host name did not match any of the valid hosts for this certificate

    5. Now if I change the client socket to use this when connecting sslSocket->connectToHostEncrypted("scp.radiant.io",1200,"scp.radiant.io"); it will work.

    I dont understand why I have to set the peerVerifyHost argument when connecting encrypted. I would like use the same certificates for my WebSockets implementation for this as well but the QWebSocket class does not allow you to set the peerverifyHost when connecting. So I must be doing something wrong at the cert level or the os level for my FQDN. any networking and ssl help would be helpful


Log in to reply