QsslSocket - ECC Keys & Certificate fail on OSX
Question - Any problems/issues with ECC(Elliptic Curve Cryptography) Keys & Certificates on OSX ?
I am using OpenSSL 1.0.2k on OS X EL Captain. I used the following commands to generate ECC Keys & Certificates. Keys and Certificates are generated properly. However when I set the key & certificates I get the following error.
qDebug() << " Key ="<< key << endl; qDebug() << " Certificate ="<< certificate << endl; socket->setProtocol(QSsl::TlsV1SslV3); socket->setPrivateKey(key,QSsl::Ec); socket->setLocalCertificate(certificate); socket->setPeerVerifyMode(QSslSocket::VerifyNone); socket->setCiphers("ECDHE-ECDSA-AES128-SHA256"); socket->startServerEncryption();
Error - Connection from ::1:50351 failed: SecPKCS12Import failed: -67712
Commands used for generating ECC Key & Certificates.
openssl ecparam -genkey -name prime256v1 -out key.pem
openssl req -new -sha256 -key key.pem -out csr.csr
openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem
openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA256" && echo "All is well" || echo "This certificate will stop working in 2017! You must update OpenSSL to generate a widely-compatible certificate"
I use the same SSL library for generating the RSA 2048 keys and certificate. It works perfectly.
Any issue with ECC Keys & Certificates on OSX
I found the problem with this. Qt does not support EC Curves by default. It has dummy implemenation & does nothing. Not sure about the reason why this is left out.
If you want Elliptical Curve Certificate Support on OSX with Qt, you need link Qt with OpenSSL library. This solves the problem. If any needs to help on this, do drop an email to me.