QSslSocket: TLS initialization Failed



  • Hello all, I have written an application that serves a single webpage using QTcpServer. It establishes a secure websocket first via QSslSocket using TLSV1.2. This works perfectly on my computer running Windows 7 and another computer I have tested running Windows 10. Note I am utilizing a self-signed certificate that I made using OpenSSL on Windows. However I have installed the same application on a couple other machines that are running Windows 10 (not sure if OS is totally relevant) and I receive this warning when running the app:

    qt.network.ssl: QSslSocket::startServerEncryption: TLS initialization failed
    

    So when I run on the working machines this warning isn't present. Here's the code:

    ...
    void HttpServer::incomingConnection(qintptr socketDescriptor)
    {
        socket = new QSslSocket(this);
    
        // Read RSA Key from file for SSL
        socket->setProtocol(QSsl::TlsV1_2);
    
        QByteArray key;
        QFile KeyFile("server.key");
        if(KeyFile.open(QIODevice::ReadOnly))
        {
            key = KeyFile.readAll();
            KeyFile.close();
        }
        else
        {
            qDebug() << KeyFile.errorString();
        }
        //set SSL Key
        QSslKey sslKey(key, QSsl::Rsa);
        socket->setPrivateKey(sslKey);
    
        // Load SSL certificate from file
        QByteArray cert;
        QFile CertFile("server.crt");
        if(CertFile.open(QIODevice::ReadOnly))
        {
            cert = CertFile.readAll();
            CertFile.close();
        }
        else
        {
            qDebug() << CertFile.errorString();
        }
    
        //set SSL Certificate
        QSslCertificate sslCert(cert);
        socket->setLocalCertificate(sslCert);
    
        QSslConfiguration cfg = socket->sslConfiguration();
        cfg.caCertificates();
    
        if (!socket->setSocketDescriptor(socketDescriptor))
        {
            qDebug() << ("! Couldn't set socket descriptor");
            delete socket;
            return;
        }
    
        if (isBusy)
             socket->waitForReadyRead();
    
        isBusy = true;
    
        socket->startServerEncryption();  //PRODUCES TLS INITIALIZATION ERROR ON SOME MACHINES
    
        if (socket->isEncrypted()){
            emit socket->encrypted();
        }
    
        if(!socket->waitForEncrypted(3000)) {
            qDebug("Wait for encrypted!!!!");
            return;
        }
    
        if (socket) {
           connect(socket, SIGNAL(readyRead()), this, SLOT(doTxRx()));
           connect(socket, SIGNAL(disconnected()), socket, SLOT(deleteLater()));
           socket->waitForReadyRead();
        }
    }
    ...
    

    Anyone else have this error or know what I can do to troubleshoot? I've tried different browser's and I just get a timeout error after the handshake never completes. I have the code setup to open a port on localhost:8090. My self-signed cert is for localhost and I browse to the page by going to https://localhost:8090 The setup code is here:

    #include <QDesktopServices>
    #include <QUrl>
    #include <QStandardPaths>
    #include <QCoreApplication>
    #include <QHostAddress>
    #include <QSslSocket>
    #include <QThread>
    //#include "SslServer.h"
    
    #define MAX_RECORDS 1000
    const QChar degreeChar(0260);
    const QString htmlGreen("#80F936");
    const QString htmlAmber("#F9C436");
    const QString htmlRed("#FF3535");
    const QString styleBlue("#2859B6");
    
    HttpServer::HttpServer(QObject *parent) : QTcpServer(parent)
    {
        tcpServer = new QTcpServer(this);
        weather = new Weather();
    
        checkFolders();
    
        if (!tcpServer->listen(QHostAddress::Any, this->port)) {
            qDebug() << "Warning: Web server could not start on port " << this->port;
        } else {
            qDebug() << "Success: Web server is waiting for a connection on port " << this->port;
        }
    
        connect(tcpServer, SIGNAL(newConnection()), this, SLOT(newConnectionRecognized()));
    
        int theIndex = 0;
        foreach (const QNetworkInterface &netInterface, QNetworkInterface::allInterfaces()) {
            QNetworkInterface::InterfaceFlags flags = netInterface.flags();
            if( (flags & QNetworkInterface::IsRunning) && !(flags & QNetworkInterface::IsLoopBack)){
                foreach (const QNetworkAddressEntry &address, netInterface.addressEntries()) {
                    if(address.ip().protocol() == QAbstractSocket::IPv4Protocol) {
                        if (theIndex == 0 || theIndex > netInterface.index()) {
                            myIp = address.ip().toString();
                            myIp.append(QString(":%1").arg(port));
                            theIndex = netInterface.index();
                        }
                    }
                }
            }
        }
        setLogStr("Server IP address: " + myIp);
    
        qDebug() << "Server IP address: " << myIp;
    }
    

  • Lifetime Qt Champion

    Hi and welcome to devnet,

    Might e a silly question, did you properly deploy OpenSSL along your application ?

    On a side note, you don't seem to use the sslErrors signal for your socket. That might give you additional clues.



  • @SGaist Not silly at all, I didn't deploy OpenSSL at all with my application. The attached pic shows the output after I run windeployqt.exe. On the vanilla Windows 10 machine all I have to do is double-click on WebServer.exe and it runs with no issue. I did the same on a different Windows 10 machine and it doesn't work and has the aforementioned TLS Initialization error.

    I will look into implementing the sslErrors signal to get some additional feedback from my application and report back.

    0_1539894302137_deployfiles.png


  • Lifetime Qt Champion

    Then you should deploy OpenSSL along with your application.

    If it's working on some Windows machine without them, it means that somewhere in one of the folder listed in the PATH environment variable, you can find them. Some might even have them installed in Windows system folders which is a bad thing to do.



  • I was trying to avoid that if possible but that might be something I have to do. I'm checked the path variable on the working vanilla machine and there is no mention of OpenSSL or any sort of installation on it. What .dll or other file should I look for in the Windows System folder?


  • Lifetime Qt Champion

    Windows doesn't provide OpenSSL. It's your job to provide it with your application.

    I guess you didn't build Qt yourself, so you should look for OpenSSL 1.0 .dlls. So it should be: ssleay32 and libeay32.



  • @SGaist said in QSslSocket: TLS initialization Failed:

    That's what I'm trying to figure out. There is no install of OpenSSL (or either .dll you mentioned) on the machine and yet my application is establishing a secure, encrypted connection utilizing my localhost certificate. Seems like it isn't referencing OpenSSL-related files at all. Is the Qt5Network.dll handling the TLS-related tasks in my code?

    I installed Qt 5.8 on my machine and use Qt Creator but did not build it from source or anything like that.



  • @SGaist I implemented the error reporting below :

    void HttpServer::incomingConnection(qintptr socketDescriptor)
    {
        socket = new QSslSocket(this);
        connect(socket, SIGNAL(error(QAbstractSocket::SocketError)), SLOT(error(QAbstractSocket::SocketError)));
    
        // Read RSA Key from file for SSL
        socket->setProtocol(QSsl::TlsV1_2);
    
        QByteArray key;
        QFile KeyFile("server.key");
        if(KeyFile.open(QIODevice::ReadOnly))
        {
            key = KeyFile.readAll();
            KeyFile.close();
        }
        else
        {
            qDebug() << KeyFile.errorString();
        }
        //set SSL Key
        QSslKey sslKey(key, QSsl::Rsa);
        socket->setPrivateKey(sslKey);
    
        // Load SSL certificate from file
        QByteArray cert;
        QFile CertFile("server.crt");
        if(CertFile.open(QIODevice::ReadOnly))
        {
            cert = CertFile.readAll();
            CertFile.close();
        }
        else
        {
            qDebug() << CertFile.errorString();
        }
    
        //set SSL Certificate
        QSslCertificate sslCert(cert);
        socket->setLocalCertificate(sslCert);
    
        QSslConfiguration cfg = socket->sslConfiguration();
        cfg.caCertificates();
    
        if (!socket->setSocketDescriptor(socketDescriptor))
        {
            qDebug() << ("! Couldn't set socket descriptor");
            delete socket;
            return;
        }
    
        if (isBusy)
             socket->waitForReadyRead();
    
        isBusy = true;
    
        socket->startServerEncryption();
    
        if (socket->isEncrypted()){
            emit socket->encrypted();
        }
    
        if(!socket->waitForEncrypted(3000)) {
            qDebug("Wait for encrypted!!!!");
            return;
        }
    
        if (socket) {
           connect(socket, SIGNAL(readyRead()), this, SLOT(doTxRx()));
           connect(socket, SIGNAL(disconnected()), socket, SLOT(deleteLater()));
           socket->waitForReadyRead();
        }
    }
    

    unfortunately I get no additional info. What I get is :

    Error: TLS Initialization failed
    

  • Lifetime Qt Champion

    QSslSocket has the sslErrors signal that might give you more clues.



  • @SGaist That definitely clued me in to what was going on. Additionally, these two functions helped out quite a bit.

          sslSocket->sslLibraryBuildVersionString()
          sslSocket->sslLibraryVersionString()
    

    The build library was reporting using OpenSSL version 1.0.2h, and the runtime(non-build Version) was non-existent on the machines where the SSL wasn't working. Only after I installed Git for Windows did my the runtime version show up and my program started working, this was because it installed the 1.0.2p .dll version in the PATH variable of my machine. The sslLibraryVersionString reported version 1.0.2p after that. After I got a hold of the ssleay32.dll and the libeay32.dll for version 1.0.2p and placed it alongside the .exe everything started working.

    So I guess that means that whatever version of OpenSSL I have installed on my machine is what QT Creator calls when building my program? Is there a way to specify what version to build against?


  • Lifetime Qt Champion

    Qt Creator is innocent. And Qt as well. There's no linking against the SSL libraries by default. They are loaded dynamically.



  • @SGaist okay good to know. Where is sslSocket->sslLibraryBuildVersionString() pulling that version from? And any clue as to why they differ?


  • Lifetime Qt Champion

    That's the version of OpenSSL that was used when building Qt.



  • @SGaist I seem to have the same problem. I'm currently linking against openssl 1.0.2q. Is that a problem? Also I added a library path in Qt main where it can find the ssl dlls: QCoreApplication::addLibraryPath("c:/OpenSSL-Win64/bin");

    Still it reports the initialization problems with SSL:

    qDebug() << QSslSocket::supportsSsl() << QSslSocket::sslLibraryBuildVersionString() << QSslSocket::sslLibraryVersionString();

    gives me:

    false "OpenSSL 1.0.2p 14 Aug 2018" ""

    and then:

    QSslSocket::connectToHostEncrypted: TLS initialization failed ssl\qsslsocket.cpp: 457

    What to do?


  • Lifetime Qt Champion

    You should rather modify the PATH environnement variable in the Run part of the Project panel so it can be found at run time.



  • I have the exact same situation as Hans. Same output from the program. I did a search and looky what I found... looks like M$ put libcrypto.dll in the system32 folder and that overrides getting dlls from the program path. Could it be somebody other than MS? I have .NET Framework 1.1, Win10 Dev Kit, Visual Studio 2017 Community, Strawberry Perl, Python, OpenSSL 1.1.1.a, some MS Visual C++ Redistributables, and MS System CLR Types for SQL Server. Nobody else should have done something like that. Also there is no libssl.dll in system32. I'm using OpenSSL 1.1.1a so libcrypto.dll and libssl.dll replace libeay32.dll and ssleay32.dll.

    0_1545698470342_libcrypto.png

    This is a fresh install of Win10 I did about a week ago or so. I added this to the beginning of the qDebug() with dbReply being a QNetworkReply:

    qDebug() << dbReply->errorString() << QSslSocket::supportsSsl() << QSslSocket::sslLibraryBuildVersionString() << QSslSocket::sslLibraryVersionString();
    

    The total output is:

    "Unknown error" false "OpenSSL 1.0.2p  14 Aug 2018" ""
    

    How do I remedy the situation if system32 takes priority over the program path?


  • Lifetime Qt Champion

    First: use the same series of OpenSSL as was used to build Qt. OpenSSL 1.1 broke API and ABI compatibility with regards to the 1.0 series.

    As for the rogue OpenSSL version in system32, it might very well be an application you installed or an application provided by the manufacturer of your machine. Neither are supposed to do that.



  • I am running the program straight from Qt Creator when all this happens. Even without the dll's present in the application build directory the program still gives the same output from the qDebug() line. I'm thinking the dll is loaded elsewhere, perhaps from the system32 directory. I did a search for the dll using Process Explorer and all that turned up was Chrome and Avast.

    If you look at the search for libcrypto.dll I did it shows up in a subfolder of the C:\Windows\WinSxS directory - does this imply it's been installed by a Windows component as opposed to a program?

    Also I was wrong about system32 taking the highest priority for loading dll's; see here. It says the directory from which the program is loaded takes top priority for loading dll's; however when I place the libcrypto-1_1.dll and libssl-1_1.dll in the shadow build directory or the release subdirectory of the shadow build directory the qDebug() line shows again the wrong version of OpenSSL being loaded. The only possible explanation of that behavior I could find is on the dll path search page I linked to:

    If a DLL with the same module name is already loaded in memory, the system checks only for redirection and a manifest before resolving to the loaded DLL, no matter which directory it is in. The system does not search for the DLL.
    

    Any ideas?


  • Lifetime Qt Champion

    Yes, as already suggested, use OpenSSL 1.0 since it's the version that was used to build the version of Qt you are using.
    As already written, OpenSSL broke API and ABI compatibility between 1.1 and 1.0.
    It requires a different backend that is available since 5.10 but you have to select it when building Qt.

    If you want OpenSSL 1.1, you should move to Qt 5.12 as IIRC this is now the default backend.



  • I currently am using 5.12 which dumps the OpenSSL version mentioned before from QSslSocket::sslLibraryBuildVersionString(). Why does the Qt dynamic libraries (that's what you download to be used with Qt Creator/VS or whatever right?) only support a specific version of OpenSSL? When you use

    INCLUDEPATH += "C:\Build-OpenSSL-VC-32\include"
    

    and

    LIBS += -LC:\Build-OpenSSL-VC-32\lib -llibcrypto -llibssl
    

    why doesn't it override whatever OpenSSL was used to build Qt? After all the includes and libraries contain all the OpenSSL code right? Does Qt have to know which functions it can call within the OpenSSL libraries and therefore since API/ABI compatibility broke with 1.1 it is restricted to whatever was used to build Qt?


  • Lifetime Qt Champion

    By default, for international distribution reason, Qt is not linked to OpenSSL but dlopens the dll if available.

    And yes, the version is restricted to what was used to build Qt as with any other dependency you may have.



  • Everything is working beautifully with Shining Light Productions OpenSSL 1.0.2q. Thanks for the help SGaist!



  • @SGaist said in QSslSocket: TLS initialization Failed:

    Yes, as already suggested, use OpenSSL 1.0 since it's the version that was used to build the version of Qt you are using.
    As already written, OpenSSL broke API and ABI compatibility between 1.1 and 1.0.
    It requires a different backend that is available since 5.10 but you have to select it when building Qt.
    If you want OpenSSL 1.1, you should move to Qt 5.12 as IIRC this is now the default backend.

    When you say you have to select it when building Qt your'e referring to a static build right? Is there any way to do it for whatever version of dynamic Qt Qt Creator uses? Just curious.


  • Lifetime Qt Champion

    No, static or dynamic build doesn't play a role.

    Qt and Qt Creator are two linked but independent projects so I'm not sure what you are asking here.



  • OK let me explain - when you use the Qt Online Installer you select for it to install 5.12 MSVC 2017 64bit or whatever you wish. That is a preconfigured dynamic build of the Qt libraries right? There's no way to change whatever OpenSSL is used for that Qt build since it's preconfigured right?


  • Lifetime Qt Champion

    Right, you can't switch from the 1.0 to the 1.1 backend used for the reasons already explained.



  • I should like to add as a warning to future folks, which may include myself, that matching the exact version that your Qt libraries are using may be absolutely necessary. Look on the qt wiki for the version of openssl that was compiled against. The page will be of the form https://wiki.qt.io/Qt_5.12_Tools_and_Versions . Once you find your version, one of the links from https://wiki.openssl.org/index.php/Binaries points to https://indy.fulgan.com/SSL/ which has older binaries.



  • @Ross Thank Ross this was exactly my problem : I tried with the 1.1.1 versions of libeay32.dll and ssleay32.dll. With 1.0.2p version (used with Qt5.13 beta) it works perfectly.

    Note to other previous answers : no need to add anything in the includepath of the .pro file. Juste add the RIGHT dll's in the same directory than the executable .



  • steps:

    1- Firstly you need to find your SSL version for your windows machine( SSL version strictly depends on QT versions) with this function:

    qDebug() << QSslSocket::supportsSsl() << QSslSocket::sslLibraryBuildVersionString() << QSslSocket::sslLibraryVersionString();
    
    1. After that run your code and call the above function. It will print your required SSL version in application output. In my case, it was “OpenSSL 1.0.2p 14 Aug 2018” “” which may be different for all the users.

    2. Download SSL libraries from here

    4- Paste all the files/content of SSL folder (which you have extracted) into the build directory inside the debug folder.

    1. if you have doubt. then visit this post for complete info.

Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.