QSslSocket: The field "IP Address" is not considered in Subject "Alternative Name" in a Certificate



  • I tried as client to connect to a websocket server via wss. In the URL I entered the IP-address of the server (172.18.12.211)
    Everytime I got the error:
    SSL Error: The host name did not match any of the valid hosts for this certificate
    I looked inside the server certificate but everything seemed OK to me:
    X509v3 Subject Alternative Name:
    IP Address:FE80:0:0:0:316D:360F:7CCF:23FB, IP Address:172.18.12.211, DNS:*.domain.com, DNS:localhost

    So I had a look at the Qt sources, especially qtbase/src/network/ssl/qsslsocket.cpp:
    There I could see, that it is searched for DNS entries in the Subject "Aternative Name" in a Ceritificate, but not for IP Address:

    bool QSslSocketPrivate::isMatchingHostname(const QSslCertificate &cert, const QString &peerName)
    {
        const QString lowerPeerName = QString::fromLatin1(QUrl::toAce(peerName));
        const QStringList commonNames = cert.subjectInfo(QSslCertificate::CommonName);
    
        for (const QString &commonName : commonNames) {
            if (isMatchingHostname(commonName, lowerPeerName))
                return true;
        }
    
        const auto subjectAlternativeNames = cert.subjectAlternativeNames();
        const auto altNames = **subjectAlternativeNames.equal_range(QSsl::DnsEntry);**
        for (auto it = altNames.first; it != altNames.second; ++it) {
            if (isMatchingHostname(*it, lowerPeerName))
                return true;
        }
    
        return false;
    }
    

    Since "IP Address" is a valid entry in the Subject "Aternative Name" of a Ceritificate, I'm wondering, why this is not considered in the Qt sources?

    Was it simply forgotten to implement?
    Or is there any reason why this was left off?

    Any comments are appreciated.
    Regards, wdold


  • Lifetime Qt Champion

    Hi and welcome to devnet,

    What version of Qt are you using ?



  • Hi,
    the Qt version is 5.9.7.


  • Lifetime Qt Champion

    Did you already check the bug report system to see if there's something related ?



  • Hi,
    thank you for the tip.
    I just searched in bug report system but could not find an entry that fits to behaviour which I'm interested in.

    For me the cardinal question is, is it a conscious decision of the Qt developers not to search for the field "IP Address" in "Subject Alternative Name"?
    Or was it simply forgotten?
    Or is it planned to implement this in a future version?


  • Lifetime Qt Champion

    That is something I don't currently know. Most likely a use case that didn't happen yet but that's pure speculation.

    The best in your case is to open a feature request providing a minimal compilable example as well as a small script to generate a test certificate.



  • When that would be the appropriate way to proceed then I'll do that.
    How would I open a feature request? Sorry but I've never done that before.


  • Lifetime Qt Champion

    No worries. It's all on the bug report system. Just choose feature request in place of bug when creating the ticket.



  • I just could not find "feature request" in the bug report system. So I created a bug entry.
    Let's see what happens.
    Thank you for your support.


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.