Important: Please read the Qt Code of Conduct -

QSslSocket will only pass ssl handshake when peerverifyHost is set

  • I am new to ssl / networking and want to utilize mutal ssl ( client verifies server and server verifies peer) I found a white paper ( online that gave me some guidance for setting up my certs and keys. Now this paper utilizes a local host ip address as the clients cert file. I want to switch this to a register domain name ( This FQDN is local to my ubuntu os for testing purposes

    1. updated my localhost to have a domianname ( by modifying this file sudo nano /etc/hosts/ to say localhost

    2. Next I create certificate and private keys for both client and server
      a. Steps for server side and client side
      openssl req -out server_ca.pem -new -x509 -nodes \ -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=$ORG_UNIT/CN=server/emailAddress=radiant.$EMAIL"
      mv privkey.pem server_privatekey.pem
      touch server_index.txt
      echo "00" >> server_index.txt
      openssl genrsa -out server_local.key 1024
      openssl req -key ${NAME}_local.key -new -out server_local.req -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=$ORG_UNIT/$EMAIL"
      openssl x509 -req -in ${NAME}_local.req -CA ${NAME}_ca.pem -CAkey server_privatekey.pem -CAserial server_index.txt -out server_local.pem
      b. this gernerates a CaCerts (server_ca.pem and client_ca.pem)
      c. this gernerates a Local Cert files (server_local.pem and client_local.pem).. THIS IS WHERE I SET FQDN to
      d. this generate a LocalKey (server_local.key and client_local.key)

    3. I use the gererated cert files for setting up the ssl configuration on the QSslSocket for both sides like so

         //client socket setup
          // server socket setup
    4. When running this code i get the following error in my ssl errors. "The host name did not match any of the valid hosts for this certificate

    5. Now if I change the client socket to use this when connecting sslSocket->connectToHostEncrypted("",1200,""); it will work.

    I dont understand why I have to set the peerVerifyHost argument when connecting encrypted. I would like use the same certificates for my WebSockets implementation for this as well but the QWebSocket class does not allow you to set the peerverifyHost when connecting. So I must be doing something wrong at the cert level or the os level for my FQDN. any networking and ssl help would be helpful

Log in to reply