Qt4.6.3 on eLinux and SSL support



  • Hi

    I have a eLinux project in which I use a QWebView as GUI. This works as supposed.
    I now need to be able to show https addresses.
    I already have openSSL cross-compiled and the includes are in ..\usr\include\openssl, libssl.a, libssl.so and libssl.so.1.0.0 are in ..\usr\lib where all the rest of the libraries of my Linux project are ready for the C compiler.

    What do I need to do/change in Qt's configuration to have it to use the openSSL libraries and be able to display https pages?

    Thanks
    McL



  • I found some of the causes by implementing a debug output of the ssl errors.

    First - a bit embarrassing - the eLinux did not make use of any date settings so far because it was not needed. Obviously, when it comes to SSL, this is a no-go. With the correct date set, some ssl pages can be shown. Anyhow, this should have cross my mind earlier.

    Maybe someone can help me with the next error I have - I really don't know much about ssl:
    @ssl error: "The issuer certificate of a locally looked up certificate could not be found"
    ssl error: "The root CA certificate is not trusted for this purpose"
    @
    Any idea how this is solved?
    If I open the same web address in Firefox or IE on my PC everything opens normal.



  • You have to handle the following SIGNAL - sslErrors() and just ignore some or all errors - that will allow your page to load even if it uses self signed certificate.

    You can either connect ui->webView->page()->networkAccessManager() or subclass QWebView and handle it in derived class

    Choose your approach:
    http://qt-project.org/forums/viewthread/5861

    http://stackoverflow.com/questions/8362506/qwebview-qt-webkit-wont-open-some-ssl-pages-redirects-not-allowed



  • OK, I currently have ignored all SSL errors (ignoreSslErrors()) and the page loads.
    However, wouldn't be the correct way to somehow import the certificate in question instead of simply "hacking" it as ignored?
    It actually is not a self signed, it is a perfectly valid:
    VeriSign Class 3 Public Primary Certification Authority - G5
    VeriSign Class 3 Secure Server CA - G3



  • What is the error message - you can print it in debug mode right before ignoring the error.

    Well if it is not self signed certificate then you could try

    1. setting the right protocol (if it is a protocol error) e.g.
      sslConfig.setProtocol( QSsl::SslV3 );
      http://stackoverflow.com/questions/11941630/is-this-the-right-way-to-set-the-ssl-protocol-with-qwebpage

    2. Try adding certificate to cert. store
      http://qt-project.org/forums/viewthread/5861

    3. Are you sure you are accessing the right site mentioned in certificate
      e.g. trying to access https://www.gmail.com when the certificate actually is for https://mail.google.com - then you should go directly for https://mail.google.com
      otherwise you'll be getting
      // SSL ERROR "The host name did not match any of the valid hosts for this certificate"

    Please post the actual error message.

    HTH



  • Now I see you posted error messages...

    I guess your embedded Linux box probably doesn't have general certificate store - If that is the case you'll have to add/import full cert. chain

    see the python solution here

    http://tiku.io/questions/1782171/qt-ssl-error-on-hotmail-com-the-issuer-certificate-of-a-locally-looked-up-certi

    it might help to force using SSLv3 for failing pages too

    If you have ROOT CA authority on your embedded system then you can check the answer here
    http://stackoverflow.com/questions/3683826/qnetworkrequest-and-default-ssl-configuration
    sometimes something as simple as this helps
    setSslConfiguration(QSslConfiguration::defaultConfiguration());
    or if you don't have root CA well then you have to add certs one by one



  • Thanks a lot. I'll read through your suggestions and post back the results.



  • You're right. I'm missing certs in my eLinux.

    Tried to adding certs and I stumbled over this:
    @QSslSocket::addDefaultCaCertificates("/opt/cert/testcert.pem")@
    works and the page loads perfectly.

    When I try to do soemthing like this to have it load all certs that I place into a folder:
    @QSslSocket::addDefaultCaCertificates("/opt/cert/.", QSsl::Pem, QRegExp::Wildcard)@
    it does not load any and returns an error.

    What is wrong with my command?


  • Lifetime Qt Champion

    Hi,

    Maybe a silly question but are you sure you only have pem files in that folder ?



  • There is currently only the one testcert.pem in this folder and no other files.



  • No success, tried any option possible. Though it's documented it seems not to work for multiple files in a folder. I goggled this and could not find anybody that succeeded in trying this. This would be very useful because certs to be used could be changed by a mapped folder without any need for a change of the software.

    I found a pem cert-bundle created from the Mozzilla bundle certdata.txt and I think I will use this. If I get that correct this will give me most of the rootCA in one file, which should do it. If I need another cert added I will need to modify the pem bundle, which I have no clue on how to do that as of now.

    The other way would have been more straight-forward.
    Thanks anyway



  • Additional question:
    In my SSL error handler I had
    reply->ignoreSslErrors();
    for debugging purpose.
    If I don't want to ignore anymore, do I need to return something else with reply?



  • Nobody ever used SSL and did not simply ignore all errors ?!?


  • Lifetime Qt Champion

    Which version of OpenSSL are you using ?

    As for modifying the bundle, IIRC you can add your information at the bottom of it



  • I am currently using openSSL 1.0.1c. I know, thats rather old and I'm thinking of updating it.
    The CA-bundle I use is based on Mozilla's certdata.txt from Dec. 2014, converted to PEM format and it has all the root CA certificates I currently need. You're right, new certificates can simply be added or old ones replaced in the CA-bundle in PEM format.
    As for the SslErrorHandler in Qt: What do I use to replace reply->ignoreSslErrors() in my handler to satisfy the reply for SSL? I could not find any documentation on that.


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.