QSslCertificate not populating Subject Alternative Names
-
I am getting SSL Handshake Errors making a request due to the SAN not being read from the certificate. In the on_SSLErrors, I dump out the peer certificate. using cert.toPem(), I decode it at https://www.sslshopper.com/certificate-decoder.html. This shows the Subject Alternateive Names. But in the cert in QT, I get an empty map from cert.subjectAlternativeNames().
my dumpCert function:
void MyRequest::dumpCertificate( const QSslCertificate &cert ) { qDebug() << cert.toPem(); qDebug() << "== Subject Info ==\b"; qDebug() << "CommonName: " << cert.subjectInfo( QSslCertificate::CommonName ); qDebug() << "Organization: " << cert.subjectInfo( QSslCertificate::Organization ); qDebug() << "LocalityName: " << cert.subjectInfo( QSslCertificate::LocalityName ); qDebug() << "OrganizationalUnitName: " << cert.subjectInfo( QSslCertificate::OrganizationalUnitName ); qDebug() << "StateOrProvinceName: " << cert.subjectInfo( QSslCertificate::StateOrProvinceName ); QMultiMap<QSsl::AlternativeNameEntryType, QString> altNames = cert.subjectAlternativeNames(); if ( !altNames.isEmpty() ) { qDebug() << "Subject Alternate Names (DNS):"; foreach (const QString &altName, altNames.values(QSsl::DnsEntry)) { qDebug() << altName; } qDebug() << "Alternate Subject Names (Email):"; foreach (const QString &altName, altNames.values(QSsl::EmailEntry)) { qDebug() << altName; } } else { qDebug() << "No Subject Alternate Names"; } qDebug() << "\n== Issuer Info =="; qDebug() << "CommonName: " << cert.issuerInfo( QSslCertificate::CommonName ); qDebug() << "Organization: " << cert.issuerInfo( QSslCertificate::Organization ); qDebug() << "LocalityName: " << cert.issuerInfo( QSslCertificate::LocalityName ); qDebug() << "OrganizationalUnitName: " << cert.issuerInfo( QSslCertificate::OrganizationalUnitName ); qDebug() << "StateOrProvinceName: " << cert.issuerInfo( QSslCertificate::StateOrProvinceName ); qDebug() << "\n== Certificate =="; qDebug() << "Serial Number: " << cert.serialNumber(); qDebug() << "Effective Date: " << cert.effectiveDate().toString(); qDebug() << "Expiry Date: " << cert.expiryDate().toString(); }
-
Parsing the extensions I get:
DEBUG 2015-09-18T10:52:21.234 "Exentensions: 4"
DEBUG 2015-09-18T10:52:21.234 ""basicConstraints" IsSupported: true"
DEBUG 2015-09-18T10:52:21.234 ""keyUsage" IsSupported: false"
DEBUG 2015-09-18T10:52:21.234 ""extendedKeyUsage" IsSupported: false"
DEBUG 2015-09-18T10:52:21.234 ""subjectAltName" IsSupported: false"So this means that Subject Alternative Names isn't supported. How do I enable support for this?
-
It seems that the SAN in the cert looks like this:
Subject Alternative Names: IP Address:127.0.0.1, IP Address:10.8.0.1, IP Address:174.36.209.157
Could it be that it isn't returning anything because
QMultiMap<QSsl::AlternativeNameEntryType, QString> altNames = cert.subjectAlternativeNames();Is expecting one of these:
enum AlternativeNameEntryType { EmailEntry, DnsEntry };
-
I downloaded their source to see how they were populating the SAN stuff. Apparently, they only populate it if it is a DNS or Email entry. I found a sample cert online to parse to test this. I was right:
DEBUG 2015-09-18T12:34:04.894 "Subject Alternate Names (DNS):" DEBUG 2015-09-18T12:34:04.897 "\"uat-apas.sait.ca\"" DEBUG 2015-09-18T12:34:04.897 "\"uat-integration.sait.ca\"" DEBUG 2015-09-18T12:34:04.898 "\"cp-uat.sait.ca\"" DEBUG 2015-09-18T12:34:04.898 "\"cp.sait.ca\"" DEBUG 2015-09-18T12:34:04.898 "\"sait.ca\"" DEBUG 2015-09-18T12:34:04.898 "\"*.sait.ca\"" DEBUG 2015-09-18T12:34:04.898 "Alternate Subject Names (Email):"Thoughts? Do I just add the IP as a DNS entry in our certs?
-
I added the IP address to a DNS entry in the SAN. I no longer get the SSLHAndShake errors.
