QHttpServer with mutual TLS authentication
-
wrote on 11 Oct 2023, 13:38 last edited by
Hi,
I have a Https server to which only a client with valid certificate can connect. That works well. But is there a way to retrieve a connecting client's certificate details? My goal is to authorize the client based on the value of Common Name in certificate subject.
QHttpServer *pHttpServer = new QHttpServer(this); pHttpServer->route("/", [](const QHttpServerRequest &request) { // Here validation of client CN should be performed // But how to get an access to QSslSocket for given QHttpServerRequest return "Server"; }); const auto caCertificates = QSslCertificate::fromPath(caCertificateFileName,QSsl::EncodingFormat::Pem); const auto clientCertificates = QSslCertificate::fromPath(clientCertificateFileName,QSsl::EncodingFormat::Pem); QFile privateKeyFile(keyFileName); privateKeyFile.open(QIODevice::ReadOnly); QSslKey privateKey(&privateKeyFile,QSsl::Rsa,QSsl::Pem,QSsl::PrivateKey,tlsKeyStoreFile); QSslConfiguration sslConfig; sslConfig.setCaCertificates(caCertificates); sslConfig.setLocalCertificateChain(clientCertificates); sslConfig.setPrivateKey(privateKey); sslConfig.setProtocol(QSsl::TlsV1_3OrLater); sslConfig.setPeerVerifyMode(QSslSocket::VerifyNone); pHttpServer->sslSetup(sslConfig); const quint16 port = pHttpServer->listen(QHostAddress::Any,12345);I think I need to get access to QSslSocket which can then further provide certificate details, but I haven't found a way how to do it from within the lambda function handling the request.
Thanks for help,
Tomas -
Hi,
I have a Https server to which only a client with valid certificate can connect. That works well. But is there a way to retrieve a connecting client's certificate details? My goal is to authorize the client based on the value of Common Name in certificate subject.
QHttpServer *pHttpServer = new QHttpServer(this); pHttpServer->route("/", [](const QHttpServerRequest &request) { // Here validation of client CN should be performed // But how to get an access to QSslSocket for given QHttpServerRequest return "Server"; }); const auto caCertificates = QSslCertificate::fromPath(caCertificateFileName,QSsl::EncodingFormat::Pem); const auto clientCertificates = QSslCertificate::fromPath(clientCertificateFileName,QSsl::EncodingFormat::Pem); QFile privateKeyFile(keyFileName); privateKeyFile.open(QIODevice::ReadOnly); QSslKey privateKey(&privateKeyFile,QSsl::Rsa,QSsl::Pem,QSsl::PrivateKey,tlsKeyStoreFile); QSslConfiguration sslConfig; sslConfig.setCaCertificates(caCertificates); sslConfig.setLocalCertificateChain(clientCertificates); sslConfig.setPrivateKey(privateKey); sslConfig.setProtocol(QSsl::TlsV1_3OrLater); sslConfig.setPeerVerifyMode(QSslSocket::VerifyNone); pHttpServer->sslSetup(sslConfig); const quint16 port = pHttpServer->listen(QHostAddress::Any,12345);I think I need to get access to QSslSocket which can then further provide certificate details, but I haven't found a way how to do it from within the lambda function handling the request.
Thanks for help,
Tomaswrote on 14 Oct 2023, 13:50 last edited by@tomas-soltys
"I think I need to get access to QSslSocket which can then further provide certificate details"Find QHttpServer source code. I mean QHttpServer.cpp and QHttpServer.h
Modify the code so that you can get QSslSocket object. Then you can use:
QSslCertificate QSslSocket::peerCertificate() const
"Returns the peer's digital certificate (i.e., the immediate certificate of the host you are connected to), or a null certificate, if the peer has not assigned a certificate.".I have question to you: what version of Qt and openssl you use.
Look at my post: maybe you can help me to get read of ssl connection issue . Link: https://forum.qt.io/topic/150462/qhttpserver-api-https-openssl-letsencrypt-sslv3-alert-handshake-failure-alert-number-40/6?_=1697291376846
2/2