SSL and let's encrypt certificates ?
-
Hi Qt lovers, I'm in trouble with deploying SSL with Qt, I hope I can find help here :)
I tried to deploy with the dlls (libssl-1_1-x64.dll and libcrypto-1_1-x64.dll) from Qt/Tools/QtCreator/bin and from
Qt/Tools/OpenSSL/bin none of them were working on a naive machine (I mean a fresh install of windows 10 on a VM)
Then as I use a torrent client named "transmission" and developed in Qt on my windows machine, i decided to try with its dlls.. ...and so far these dlls provided me a better result than the ones from my Qt installation, but still not the expected result..***** Code *****
QByteArray BasicDownloader::getFile(const QString &url){ QEventLoop loop; QNetworkAccessManager m_WebCtrl; QNetworkReply *reply = m_WebCtrl.get(QNetworkRequest(QUrl(url))); connect(reply, SIGNAL(finished()), &loop, SLOT(quit())); loop.exec(); if (reply->error() != QNetworkReply::NoError){ reply->deleteLater(); return QByteArray::fromStdString( reply->errorString().toStdString()); } QByteArray ret = reply->readAll(); reply->disconnect(); reply->deleteLater(); return ret; }
**** UI pseudo code *** (UI is just a dialog with 2 buttons)
on_googleButton_clicked (){ QMessageBox (QString (BasicDownloader::getFile ("https://www.google.com/"))); } on_persoWebsiteButton_clicked (){ QMessageBox (QString (BasicDownloader::getFile ("https://mypersoSite_WithLetsEncryptCertificate.net/"))); }
**** Expected Result ******
When I click the googleButton, a message box with the google index page should popup
When I click the persoWebsite, a message box with my personal website index page should popup**** What I did *********
Compile with mingw81_64 with qt 5.15.2
then windeployqt the exe
then copy lib ssl and crypto dll files within the exe folder
version of files libssl-1_1-x64.dll and libcrypto-1_1-x64.dllfile ver prod ver origine 1.1.1.4 1.1.1d Tools/QtCreator/bin 1.1.1.10 1.1.1j Tools/OpenSSl/Win_x64/bin 1.1.1.7 1.1.1g "transmission" torrent client binary
**** Results *********
-
On dev machine (but launch standalone (i.e. without qt creator))
without libssl and libcrypto -> TLS Initialization failed
with any version -> google button working, personnal website button working -> all working as expected -
On a VM with windows 10 but no Qt installed on it
results depends on dll version like so :
Version of lib ssl and crypto dlls copied in the exe dir Result 1.1.1.4 (qtcreator/bin) TLS Initialization failed with both buttons 1.1.1.10 (openSSL/bin) TLS Initialization failed with both buttons 1.1.1.7 (transmission) google button working / perso website -> SSL Handshake failed
**** Additional details ****
My website is using a letsencrypt SSL certificate and it is working with all browser i tried (firefox, edge, chrome, safari) on various platform (windows, linux, OSX, android), the ssl seems correctly handled. So IMHO the issue isn't my nginx config, but rather the QNetworkAccessManager and the SSL context it is using
Also, I tried to add pem file from letsencrypt like so
QString certsPath = qApp->applicationDirPath() + "/certs/"; QDir certsDir (certsPath); QStringList certList = certsDir.entryList(QStringList() << "*.pem",QDir::Files); foreach (const QString &s, certList){ std::cout << "loading " << (certsPath+s).toStdString() << std::endl; if (!QSslConfiguration::defaultConfiguration().addCaCertificates(certsPath+s)) std::cout << "can't add " << (certsPath+s).toStdString() << std::endl; }
and files within "certs" folder (isrgrootx1.pem and i also tried to add isrg-root-x1-cross-signed.pem both files come from letsencrypt official website) are accepted
(i.e. i got the two "loading " messages with no "can't add " messages) but still no more luck with downloading a file via https from my personal website using that qt test app on a VM fresh windows 10... -
-
Hi and welcome to devnet,
Did you check that you also deploy the dependencies of the OpenSSL dlls ?
-
@SGaist Hi and thanks for your reply :)
If the files are capi.dll and padlock.dll, yes i tried adding them both in the exe directory as well as in a sub directory "engines-1_1" (like the OpenSSL lib folder structure); but without more success (with the exact same result to be more accurate).By the way, i just made a curl -v from git-bash with an url of my personal website and saw the cmd relay on mingw64 certs to handshake my website :
partial output of curl --url https://mywebsite.net/ -v :- successfully set certificate verify locations:
- CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
So i guess if i add certs from C:/Program Files/Git/mingw64/ssl/certs to my app ssl configuration, it should have all required CA.
I'll try that tomorrow and will let u know
Ofc this ain't the best solution (taking dll from transmission torrent client and CA from git-bash), but if it works, my trust in both these software for not having malicious code in their dlls might me consider that solution...
But if you have more questions / suggestions ofc feel free :)
-
@hskoglund yes ty u're right ! By adding msvcr100.dll i can now use the openssl/bin version of the dll and get the same result as with transmission torrent client dlls; that's cleaner, i like it (even if transmission version is more compact as they must have include msvcr100.dll useful parts into libssl and libcrypto, i still prefer to relay on the official openssl binaries).
So only the shakehand with my letsencrypt cert remain an issue...
But i think by adding the crt files i saw used by curl (see my previous post) it may works, i'm confident :)Anyway ty for making me read again the post u linked (yeah sad part of the story is i read that post before posting here and missed one of the two files (the only one needed as apparently i don't need msvcp100.dll) dunno how... SO ty for making me reverify and realize my mistake :)
Starts to be late in my time zone, so i'll let u know tomorrow about letsencrypt -
@hskoglund Eventually I tried adding the CA before goin to sleep; but so far no more luck with letsencrypt...
I dunno if i should mark this as resolved as on one side my issue ain't yet fully solved; but on the other side, it's more likely now a CA trust issue as my test app works with google but not with letsencrypt certificates ssl handshake, and not really a Qt deployment issue anymore... Anyway nighty night ^^