QSslSocket handshake fails for TlsV1_2



  • Dear all,
    I try to send e-mails via smtp using TLS v1.2 (because the mail server requires that). I stumbeled over a nice example and tried to modify it to TLS 1.2:

    ...
    socket = new QSslSocket(this);
    socket->setProtocol(QSsl::TlsV1_2);
    connect(socket, SIGNAL(encrypted()), this, SLOT(socketEncrypted()));
    connect(socket, SIGNAL(sslErrors(const QList<QSslError> &)), this, SLOT(sslErrorsSl(const QList<QSslError> &)));
    connect(socket, SIGNAL(readyRead()), this, SLOT(readyRead()));
    connect(socket, SIGNAL(connected()), this, SLOT(connected() ) );
    connect(socket, SIGNAL(error(QAbstractSocket::SocketError)), this,SLOT(errorReceived(QAbstractSocket::SocketError)));   
    connect(socket, SIGNAL(stateChanged(QAbstractSocket::SocketState)), this, SLOT(stateChanged(QAbstractSocket::SocketState)));
    connect(socket, SIGNAL(disconnected()), this,SLOT(disconnected()));
    ...
    

    Connection itself works, but the handshake fails with Error during SSL handshake: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
    It makes no difference if I use connectToHostEncrypted or if I connect unencrypted first and then use startClientEncryption - handshake fails with the same error.
    I guess this error message comes not from Qt-code but from some underlying implementation but I am confused that it complains about SSLv3 although I specified TLSv1.2. Can anyone give me hint what's going wrong here?

    Edit: I verified with openssl s_client that the transaction succeeds in general, so all I want to do is replicate this inside Qt. Here is the openssl log:

    Pi_at_home/smtp$ openssl s_client -host smtp.world4you.com -port 587 -no_ssl3 -no_tls1 -no_tls1_1 -starttls smtp -crlf
    CONNECTED(00000003)
    depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
    verify return:1
    depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
    verify return:1
    depth=0 OU = Domain Control Validated, CN = *.world4you.com
    verify return:1
    ---
    Certificate chain
     0 s:/OU=Domain Control Validated/CN=*.world4you.com
       i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
     1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
       i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIHUjCCBjqgAwIBAgIMKUlNZaWQ/0J265CBMA0GCSqGSIb3DQEBCwUAMEwxCzAJ
    BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB
    bHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTE3MDQxMDA4MzExN1oXDTIwMDQx
    MDA4MzExN1owPTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRgw
    FgYDVQQDDA8qLndvcmxkNHlvdS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
    ggEKAoIBAQDbeR8nSLbJEwO2lDns55LHY6uZ7jJ+3g8l01xQpuHFpLkNyew85ZSN
    Ha36EcSTYN86tmqsbWLb07dcsT4jO1T9nJJcsJVY6tj/FjiWDiAmYsJAhDpVJNbG
    Rj6143oPtv+7JsPrDt06/4GR/OytcYIAPZeDLL+UOco1yrJVapdLue3eMVtLNyvD
    MUll/Py6tY5xD3LX7GYu8QXgwXpIPEoS+nLnrvWGTrrHQxZlgbv0DIV5Px0RBy7Z
    GayWky6L3zK4XPUBqEosbvHcCfJJbFMC/hasaxNLc8v5ANYtbCdVo3tlxXYSSTHl
    VDuJgTpFCdLMKEPzfWHEGUMK/1xwFgVdAgMBAAGjggRBMIIEPTAOBgNVHQ8BAf8E
    BAMCBaAwgYkGCCsGAQUFBwEBBH0wezBCBggrBgEFBQcwAoY2aHR0cDovL3NlY3Vy
    ZTIuYWxwaGFzc2wuY29tL2NhY2VydC9nc2FscGhhc2hhMmcycjEuY3J0MDUGCCsG
    AQUFBzABhilodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3NhbHBoYXNoYTJn
    MjBXBgNVHSAEUDBOMEIGCisGAQQBoDIBCgowNDAyBggrBgEFBQcCARYmaHR0cHM6
    Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMAkGA1Ud
    EwQCMAAwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL2NybDIuYWxwaGFzc2wuY29t
    L2dzL2dzYWxwaGFzaGEyZzIuY3JsMCkGA1UdEQQiMCCCDyoud29ybGQ0eW91LmNv
    bYINd29ybGQ0eW91LmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
    HQYDVR0OBBYEFKIZxH9TsIMa5qQGZAPhKngbApbsMB8GA1UdIwQYMBaAFPXN1TwI
    UPlqTzq3l9pWg+Zp0mj3MIICbwYKKwYBBAHWeQIEAgSCAl8EggJbAlkAdwDd6x0r
    eg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAVtW/RapAAAEAwBIMEYCIQDU
    3N3XzYnVREcEvW6lNyK6AlGSbiDCM+zvAKMR17JYfAIhAN9PzYas1XU6oW+slh7t
    8PduMqiZjJAD9ENlkasRw0b9AHYAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SY
    VdaJ0N0AAAFbVv0W/QAABAMARzBFAiEAgac9ahHXUOYPJCfqPGSRspsHOz8Nh1fg
    PILA/TOIWhoCIHS1NZmsg3swvqhq/hewAEZP0xfEOguTS/160d8qhG+rAHUApLkJ
    kLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFbVv0ZtwAABAMARjBEAiAx
    2bJ48akD9TKDtT1igobkzkyxsFmJT9HDkOciGnVx8AIgNsCADYnu/q8E2FFrcNIF
    37KuYFXuv72bd864c9vVJjsAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2
    jh7RhQAAAVtW/RpJAAAEAwBHMEUCIBP3/9GvXudvbzupkv0QB8jksf8s1RAnzBPs
    zcjcWI80AiEAnZ4PSMG7ElD7ZWW+G/SwQLky0naFIHm1gEQ4xzLkkhUAdwDuS723
    dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAVtW/RyDAAAEAwBIMEYCIQCW
    N35yevfZeW3HmWo9AJqqY9ctNU4M1LeXDuTNHgdUhgIhAPnPugotcvA6af8DU5be
    sduG9XUuMXQorvz5FRE2iJ9tMA0GCSqGSIb3DQEBCwUAA4IBAQAzo+bJIPt7p3oO
    YmSJ+3sPlwyftJ5U2F3tKPSOsnO99s5uj6XH19wKWCLsVHLm8LeCw272l185rQge
    HWn9SY1oasDaiUIpKDQnw/Nm7i9KiRCKKYUGPcQisClwgycYq12b7robuUl67JtC
    h/ArUdtkhUkapoXtwDmoAcFWlVJiauBSSfpR+C6B3YaBASMoKd0T1Y81GEgmq5lc
    F7gyeDAprTO2Ob3X9jzU40ap+95SHhlP4/V1EEDMnWycEp064Sv0U2ojzPgFsl3I
    QbyTssP22CYiSoImsQJ8/Z7MN3YaSt8w88D4ODogLDyXRHua73JYMRw+DuN4yzhH
    QVhF83oJ
    -----END CERTIFICATE-----
    subject=/OU=Domain Control Validated/CN=*.world4you.com
    issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
    ---
    No client certificate CA names sent
    Peer signing digest: SHA512
    Server Temp Key: DH, 2048 bits
    ---
    SSL handshake has read 4600 bytes and written 658 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : DHE-RSA-AES256-GCM-SHA384
        Session-ID: 8E6BC6DA7E940F4C12B688289D7E349986DA91DB964517F2C86D63100E5D224A
        Session-ID-ctx: 
        Master-Key: A22734F78D24F8F49BC3CB8702A9CA3C3CE3D5D6A0BB91A6D5FA65FBD25B96B29B396FDF32B1E6D0492B589949524298
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 200 (seconds)
        TLS session ticket:
        0000 - 49 38 59 8e 2f fe 97 e8-d7 1b 5f 23 a4 41 1c 2e   I8Y./....._#.A..
        0010 - 28 91 69 0b 9b d4 ba 08-75 33 9b b9 5b 07 61 a6   (.i.....u3..[.a.
        0020 - 22 d0 f1 f9 d6 ea d4 d2-ca 68 33 e2 b5 78 09 1a   "........h3..x..
        0030 - 95 8a 0d 65 6e 58 2f 16-8c 18 4b 95 fc 97 08 e2   ...enX/...K.....
        0040 - 73 21 f2 38 d7 a3 fe 31-ec f3 af 60 8a c5 fc ee   s!.8...1...`....
        0050 - 79 0c 45 1f ce fd 04 d7-13 86 d3 66 db b7 64 16   y.E........f..d.
        0060 - f9 d9 cf 81 9f 96 a1 e3-24 e0 be 7b 23 33 22 01   ........$..{#3".
        0070 - f4 64 0f b4 67 8d 6b 0a-c7 65 26 27 ca 8f 03 a9   .d..g.k..e&'....
        0080 - 0a 93 fb 1d 09 30 e6 d9-f1 5a 33 58 e5 be 0b 8a   .....0...Z3X....
        0090 - ad 79 d6 46 36 ee b2 cd-65 8a 51 f2 7b da 21 58   .y.F6...e.Q.{.!X
    
        Start Time: 1499604732
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    250 HELP
    EHLO mydomain.at
    250-mx11lb.world4you.com Hello mydomain.at [91.114.187.196]
    250-SIZE 157286400
    250-8BITMIME
    250-PIPELINING
    250-AUTH PLAIN LOGIN
    250 HELP
    auth plain <base64 encoded credentials were here>
    235 Authentication succeeded
    mail from: user@mydomain.at
    250 OK
    rcpt to: someoneelse@gmx.at     
    250 Accepted
    data
    354 Enter message, ending with "." on a line by itself
    the lazy fox jumps over the dog
    .
    250 OK id=1dUBjP-0004tI-Rj
    quit
    221 mx11lb.world4you.com closing connection
    closed
    

    How should I set up QSslSocket to do exactely the same thing as s_client?


  • Lifetime Qt Champion

    Hi,

    Which version of OpenSSL are you using ?



  • This post is deleted!


  • @SGaist

    $ openssl version
    OpenSSL 1.0.2g  1 Mar 2016
    

    This seems to be the latest version released with Ubuntu 16.04 since an

    apt-get install openssl
    

    didn't change anything. Do you know if parts of SSL are statically linked into the Qt libraries (and may have thus an older version)?


  • Lifetime Qt Champion

    No nothing like that. By default, Qt provides a build that dlopens OpenSSL because of international restrictions regarding cryptographic modules.



  • @SGaist Thanks for your efforts. My wild guess is that client and server fail to agree on a cipher which is fine for both. I'll try to clarify without Qt first. Maybe openssl s_client can help.
    Just out of curiosity: why does enum QSsl::SslProtocol not list numeric values for all of its members? Most members have a question mark in the value column. Never saw this before in Qt.


  • Lifetime Qt Champion

    After a quick look at Qt's sources, the numbering after QSsl::TlsV1_0 depends on a define so it might be related.


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.