How to set Client CA List on server QSslSocket?
-
Gents, I use a pretty standard QTcpServer whose incomingConnection is overruled to do:
shared_ptr<QSslSocket> sock = make_shared<QSslSocket>(this); sock->setSslConfiguration(p->mConfig); if (sock->setSocketDescriptor(desc)) { sock->setSocketOption(QAbstractSocket::KeepAliveOption, true); ... code for handling ssl errors and other signals ... sock->startServerEncryption();
Here p->mConfig is a QSslConfiguration with correct invocations of setLocalCertificate(), setPrivateKey(), setCaCertificates(), setPeerVerifyMode(QSslSocket::VerifyPeer) and setCiphers() done on it.
This all works fine, including the verification of the client certificate when the client provides one (and refusing connection when no or an invalid client cert is given), but ...
When checking the server I noticed that openssl consistently reports "No client certificate CA names sent" for this server. This indicates that no SSL_CTX_set_client_CA_list() call (or one of the alternatives with the same effect) was done on the context at OpenSSL level. Some TLS clients (in our case Java) use the client CA list in the handshake to select a client certificate from a set of client certificates they have in their key-store. Not having the client CA list filled in, causes the client at hand to not provide any certificate, thereby failing connection. Of course, one path would be to correct the client, but all other servers (a.o. lighttpd) seem to operate correctly and also the openssl s_server will set the client CA list when given a -CAfile parameter. So I really feel this should be corrected server-side in the Qt5 code that I'm running ...
So, the real question: is there some way that I am overlooking to have Qt5 set the client CA list of a (server) QSslSocket? If not, is there some (hack) to get the openssl context of a QSslSocket to myself add a hack to invoke SSL_CTX_set_client_CA_list() on it with the correct CA certificate?
Thanks in advance for any light you experts can shed on this!
Merry X-mas and a Happy New Year!
-
Hi and welcome to devnet,
@Mr-K said in How to set Client CA List on server QSslSocket?:
SSL_CTX_set_client_CA_list
I am not an SSL specialist but a quick look at the Qt sources shows no call to that method is done.
As for your hack idea, it won't be possible as is as the context is in the private part of the class.
You may have to modify the sources and build the network module yourself.
Did you already check the bug report system ?
-
Hello @SGaist , thanks for your response.
I also already went through the Qt (5.15.2) source code trying to figure out how this could be achieved and also noticed that only in qtwebengine the relevant calls could be found (as part of boringssl inside chromium). I have not raise a bug report yet as I first wanted some input from others on the matter. Also, it would rather be a feature request than a bug as the client CA list is (as far as I could tell from my Internet reading) optional information and not required to be provided by the server, so I cannot claim that not supplying this is a bug, but it would be a nice feature to have control over it - as offered out of the box by OpenSSL.
-
The bug report system is for doing both feature requests and bug reports. You have to select the correct type when you fill the report.
Note that since it's a new feature, it can only go into Qt 6 as there will be no new minor releases of Qt 5. That said, if the internals have not changed too much you should be able to patch Qt 5.15 for your own build.