Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Get Qt Extensions
  • Unsolved
Collapse
Brand Logo
  1. Home
  2. Qt Development
  3. General and Desktop
  4. QSslCertificate not populating Subject Alternative Names
Forum Updated to NodeBB v4.3 + New Features

QSslCertificate not populating Subject Alternative Names

Scheduled Pinned Locked Moved General and Desktop
5 Posts 1 Posters 1.5k Views 1 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J Offline
    J Offline
    jeremiah
    wrote on last edited by jeremiah
    #1

    I am getting SSL Handshake Errors making a request due to the SAN not being read from the certificate. In the on_SSLErrors, I dump out the peer certificate. using cert.toPem(), I decode it at https://www.sslshopper.com/certificate-decoder.html. This shows the Subject Alternateive Names. But in the cert in QT, I get an empty map from cert.subjectAlternativeNames().

    my dumpCert function:

    void MyRequest::dumpCertificate( const QSslCertificate &cert )
    {
    qDebug() << cert.toPem();
    
    qDebug() << "== Subject Info ==\b";
    qDebug() << "CommonName: " << cert.subjectInfo( QSslCertificate::CommonName );
    qDebug() << "Organization: " << cert.subjectInfo( QSslCertificate::Organization );
    qDebug() << "LocalityName: " << cert.subjectInfo( QSslCertificate::LocalityName );
    qDebug() << "OrganizationalUnitName: " << cert.subjectInfo( QSslCertificate::OrganizationalUnitName );
    qDebug() << "StateOrProvinceName: " << cert.subjectInfo( QSslCertificate::StateOrProvinceName );
    
    QMultiMap<QSsl::AlternativeNameEntryType, QString> altNames = cert.subjectAlternativeNames();
    if ( !altNames.isEmpty() ) {
        qDebug() << "Subject Alternate Names (DNS):";
        foreach (const QString &altName, altNames.values(QSsl::DnsEntry)) {
            qDebug() << altName;
        }
    
        qDebug() << "Alternate Subject Names (Email):";
        foreach (const QString &altName, altNames.values(QSsl::EmailEntry)) {
            qDebug() << altName;
        }
    }
    else {
        qDebug() << "No Subject Alternate Names";
    }
    
    
    qDebug() << "\n== Issuer Info ==";
    qDebug() << "CommonName: " << cert.issuerInfo( QSslCertificate::CommonName );
    qDebug() << "Organization: " << cert.issuerInfo( QSslCertificate::Organization );
    qDebug() << "LocalityName: " << cert.issuerInfo( QSslCertificate::LocalityName );
    qDebug() << "OrganizationalUnitName: " << cert.issuerInfo( QSslCertificate::OrganizationalUnitName );
    qDebug() << "StateOrProvinceName: " << cert.issuerInfo( QSslCertificate::StateOrProvinceName );
    
    qDebug() << "\n== Certificate ==";
    qDebug() << "Serial Number: " << cert.serialNumber(); 
    qDebug() << "Effective Date: " << cert.effectiveDate().toString();
    qDebug() << "Expiry Date: " << cert.expiryDate().toString();
    }
    
    1 Reply Last reply
    0
    • J Offline
      J Offline
      jeremiah
      wrote on last edited by
      #2

      Parsing the extensions I get:

      DEBUG 2015-09-18T10:52:21.234 "Exentensions: 4"
      DEBUG 2015-09-18T10:52:21.234 ""basicConstraints" IsSupported: true"
      DEBUG 2015-09-18T10:52:21.234 ""keyUsage" IsSupported: false"
      DEBUG 2015-09-18T10:52:21.234 ""extendedKeyUsage" IsSupported: false"
      DEBUG 2015-09-18T10:52:21.234 ""subjectAltName" IsSupported: false"

      So this means that Subject Alternative Names isn't supported. How do I enable support for this?

      1 Reply Last reply
      0
      • J Offline
        J Offline
        jeremiah
        wrote on last edited by
        #3

        It seems that the SAN in the cert looks like this:

        Subject Alternative Names: IP Address:127.0.0.1, IP Address:10.8.0.1, IP Address:174.36.209.157

        Could it be that it isn't returning anything because

        QMultiMap<QSsl::AlternativeNameEntryType, QString> altNames = cert.subjectAlternativeNames();
        

        Is expecting one of these:

        enum AlternativeNameEntryType {
            EmailEntry,
            DnsEntry
        };
        
        1 Reply Last reply
        0
        • J Offline
          J Offline
          jeremiah
          wrote on last edited by
          #4

          I downloaded their source to see how they were populating the SAN stuff. Apparently, they only populate it if it is a DNS or Email entry. I found a sample cert online to parse to test this. I was right:

          DEBUG 2015-09-18T12:34:04.894 "Subject Alternate Names (DNS):" 
          DEBUG 2015-09-18T12:34:04.897 "\"uat-apas.sait.ca\"" 
          DEBUG 2015-09-18T12:34:04.897 "\"uat-integration.sait.ca\"" 
          DEBUG 2015-09-18T12:34:04.898 "\"cp-uat.sait.ca\"" 
          DEBUG 2015-09-18T12:34:04.898 "\"cp.sait.ca\"" 
          DEBUG 2015-09-18T12:34:04.898 "\"sait.ca\"" 
          DEBUG 2015-09-18T12:34:04.898 "\"*.sait.ca\"" 
          DEBUG 2015-09-18T12:34:04.898 "Alternate Subject Names (Email):" 
          

          Thoughts? Do I just add the IP as a DNS entry in our certs?

          1 Reply Last reply
          0
          • J Offline
            J Offline
            jeremiah
            wrote on last edited by
            #5

            I added the IP address to a DNS entry in the SAN. I no longer get the SSLHAndShake errors.

            1 Reply Last reply
            0

            • Login

            • Login or register to search.
            • First post
              Last post
            0
            • Categories
            • Recent
            • Tags
            • Popular
            • Users
            • Groups
            • Search
            • Get Qt Extensions
            • Unsolved