Qt Forum

    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Unsolved

    QSslCertificate not populating Subject Alternative Names

    General and Desktop
    1
    5
    1147
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeremiah last edited by jeremiah

      I am getting SSL Handshake Errors making a request due to the SAN not being read from the certificate. In the on_SSLErrors, I dump out the peer certificate. using cert.toPem(), I decode it at https://www.sslshopper.com/certificate-decoder.html. This shows the Subject Alternateive Names. But in the cert in QT, I get an empty map from cert.subjectAlternativeNames().

      my dumpCert function:

      void MyRequest::dumpCertificate( const QSslCertificate &cert )
      {
      qDebug() << cert.toPem();
      
      qDebug() << "== Subject Info ==\b";
      qDebug() << "CommonName: " << cert.subjectInfo( QSslCertificate::CommonName );
      qDebug() << "Organization: " << cert.subjectInfo( QSslCertificate::Organization );
      qDebug() << "LocalityName: " << cert.subjectInfo( QSslCertificate::LocalityName );
      qDebug() << "OrganizationalUnitName: " << cert.subjectInfo( QSslCertificate::OrganizationalUnitName );
      qDebug() << "StateOrProvinceName: " << cert.subjectInfo( QSslCertificate::StateOrProvinceName );
      
      QMultiMap<QSsl::AlternativeNameEntryType, QString> altNames = cert.subjectAlternativeNames();
      if ( !altNames.isEmpty() ) {
          qDebug() << "Subject Alternate Names (DNS):";
          foreach (const QString &altName, altNames.values(QSsl::DnsEntry)) {
              qDebug() << altName;
          }
      
          qDebug() << "Alternate Subject Names (Email):";
          foreach (const QString &altName, altNames.values(QSsl::EmailEntry)) {
              qDebug() << altName;
          }
      }
      else {
          qDebug() << "No Subject Alternate Names";
      }
      
      
      qDebug() << "\n== Issuer Info ==";
      qDebug() << "CommonName: " << cert.issuerInfo( QSslCertificate::CommonName );
      qDebug() << "Organization: " << cert.issuerInfo( QSslCertificate::Organization );
      qDebug() << "LocalityName: " << cert.issuerInfo( QSslCertificate::LocalityName );
      qDebug() << "OrganizationalUnitName: " << cert.issuerInfo( QSslCertificate::OrganizationalUnitName );
      qDebug() << "StateOrProvinceName: " << cert.issuerInfo( QSslCertificate::StateOrProvinceName );
      
      qDebug() << "\n== Certificate ==";
      qDebug() << "Serial Number: " << cert.serialNumber(); 
      qDebug() << "Effective Date: " << cert.effectiveDate().toString();
      qDebug() << "Expiry Date: " << cert.expiryDate().toString();
      }
      
      1 Reply Last reply Reply Quote 0
      • J
        jeremiah last edited by

        Parsing the extensions I get:

        DEBUG 2015-09-18T10:52:21.234 "Exentensions: 4"
        DEBUG 2015-09-18T10:52:21.234 ""basicConstraints" IsSupported: true"
        DEBUG 2015-09-18T10:52:21.234 ""keyUsage" IsSupported: false"
        DEBUG 2015-09-18T10:52:21.234 ""extendedKeyUsage" IsSupported: false"
        DEBUG 2015-09-18T10:52:21.234 ""subjectAltName" IsSupported: false"

        So this means that Subject Alternative Names isn't supported. How do I enable support for this?

        1 Reply Last reply Reply Quote 0
        • J
          jeremiah last edited by

          It seems that the SAN in the cert looks like this:

          Subject Alternative Names: IP Address:127.0.0.1, IP Address:10.8.0.1, IP Address:174.36.209.157

          Could it be that it isn't returning anything because

          QMultiMap<QSsl::AlternativeNameEntryType, QString> altNames = cert.subjectAlternativeNames();
          

          Is expecting one of these:

          enum AlternativeNameEntryType {
              EmailEntry,
              DnsEntry
          };
          
          1 Reply Last reply Reply Quote 0
          • J
            jeremiah last edited by

            I downloaded their source to see how they were populating the SAN stuff. Apparently, they only populate it if it is a DNS or Email entry. I found a sample cert online to parse to test this. I was right:

            DEBUG 2015-09-18T12:34:04.894 "Subject Alternate Names (DNS):" 
            DEBUG 2015-09-18T12:34:04.897 "\"uat-apas.sait.ca\"" 
            DEBUG 2015-09-18T12:34:04.897 "\"uat-integration.sait.ca\"" 
            DEBUG 2015-09-18T12:34:04.898 "\"cp-uat.sait.ca\"" 
            DEBUG 2015-09-18T12:34:04.898 "\"cp.sait.ca\"" 
            DEBUG 2015-09-18T12:34:04.898 "\"sait.ca\"" 
            DEBUG 2015-09-18T12:34:04.898 "\"*.sait.ca\"" 
            DEBUG 2015-09-18T12:34:04.898 "Alternate Subject Names (Email):" 
            

            Thoughts? Do I just add the IP as a DNS entry in our certs?

            1 Reply Last reply Reply Quote 0
            • J
              jeremiah last edited by

              I added the IP address to a DNS entry in the SAN. I no longer get the SSLHAndShake errors.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post