Hello Rich,
thanks for your answer
i'll add a bit of code to make things clearer :)
Upon connection the socket fires onSslErrors() SLOT and there i see the
"untrusted / self-signed cert" error message.
In the slot i never siwtch to the codepaths where ignoreSslErrors() is
invoked.
Can you point me what i am doing wrong?
thanks
/*!
\brief we overload the virtual QTcpServer::incomingConnection(int) method
in order to start the SSL Encryption
*/
void
SslServer::incomingConnection(int socketDescriptor)
{
//qDebug() << "############### server reports ssl socket on descriptor:
" << socketDescriptor;
QSslSocket *serverSocket = new QSslSocket;
qDebug() << "using ssl socket at address " << serverSocket;
if (serverSocket->setSocketDescriptor(socketDescriptor)) {
qDebug() << "Incoming connection from " <<
serverSocket->peerAddress().toString() << ":" << serverSocket->peerPort();
connect(serverSocket, SIGNAL(encrypted()), this, SLOT(ready()));
connect(serverSocket,
SIGNAL(error(QAbstractSocket::SocketError)),this,SLOT(onTcpError(QAbstractSocket::SocketError)));
connect(serverSocket,
SIGNAL(sslErrors(QList<QSslError>)),this,SLOT(onSslErrors(QList<QSslError>)));
serverSocket->setLocalCertificate(m_ServerConfig.certfile, QSsl::Pem);
serverSocket->setPrivateKey(m_ServerConfig.keyfile, QSsl::Rsa,
QSsl::Pem, "srv_certificate");
if(!serverSocket->localCertificate().isValid()) {
*m_flogger << UNQL::LOG_CRITICAL << "Invalid certificate " <<
m_ServerConfig.certfile << UNQL::eom;
*m_clogger << UNQL::LOG_CRITICAL << "Invalid certificate " <<
m_ServerConfig.certfile << UNQL::eom;
}
if(serverSocket->privateKey().isNull()) {
*m_flogger << UNQL::LOG_CRITICAL << "Invalid private key (NULL)"
<< m_ServerConfig.keyfile << UNQL::eom;
*m_clogger << UNQL::LOG_CRITICAL << "Invalid private key (NULL)"
<< m_ServerConfig.keyfile << UNQL::eom;
}
qDebug() << serverSocket->privateKey();
qDebug() << serverSocket->localCertificate();
serverSocket->startServerEncryption();
#if (QT_VERSION > 0x040700)
this->addPendingConnection(serverSocket); //this does not work with qt
< 4.7
#else
m_sslSocketQ.enqueue(serverSocket);
#endif
} else {
delete serverSocket;
}
}
void SslServer::onSslErrors(QList<QSslError> aErrorList)
{
qDebug() << "ssl error " << aErrorList;
QList<QSslError> errorsToIgnore;
foreach (QSslError se, aErrorList) {
qDebug() << se.errorString();
*m_flogger << UNQL::LOG_CRITICAL << "Server reports SSL error: " <<
se.errorString() << UNQL::eom;
*m_clogger << UNQL::LOG_CRITICAL << "Server reports SSL error: " <<
se.errorString() << UNQL::eom;
if (se.error()==QSslError::SelfSignedCertificate ||
se.error()==QSslError::SelfSignedCertificateInChain)
{
if (m_ServerConfig.allowUntrustedCerts) {
qDebug() << "Cert is SelfSigned... but we're ok with
that...";
*m_flogger << UNQL::LOG_INFO << "Client certificate is
untrusted but we're ok with that" << UNQL::eom;
*m_clogger << UNQL::LOG_INFO << "Client certificate is
untrusted but we're ok with that" << UNQL::eom;
errorsToIgnore << se;
}
}
}
QSslSocket *sslsock = (QSslSocket*) sender();
if (m_ServerConfig.ignoreSslErrors) {
*m_flogger << UNQL::LOG_WARNING << "There were SSL errors but
server is configured to ignore them all" << UNQL::eom;
*m_clogger << UNQL::LOG_WARNING << "There were SSL errors but
server is configured to ignore them all" << UNQL::eom;
sslsock->ignoreSslErrors();
}
else {
*m_flogger << UNQL::LOG_WARNING << "Ignoring some SSL errors..." <<
UNQL::eom;
*m_clogger << UNQL::LOG_WARNING << "Ignoring some SSL errors..." <<
UNQL::eom;
if (errorsToIgnore.count()>0)
sslsock->ignoreSslErrors(errorsToIgnore);
}
qDebug() << "socket is encrypted: " << sslsock->isEncrypted();
}
On Sat, Feb 23, 2013 at 4:54 PM, Richard Moore <r...@kde.org> wrote:
> On 21 February 2013 18:32, Francesco Lamonica <alienpeng...@gmail.com>
> wrote:
> > i've implemented a simple SslServer inheriting from QTcpServer and
> > overriding the incomingConnection() as suggested from the documentation.
> > However i am stumbling on a strange problem: QSslSocket fires correctly
> the
> > sslErrors() signal for a "self-signed certificate" but even though i do
> not
> > call ignoreSslErrors() at any time the connection is not dropped (as it
> said
> > it should on the docs)
> > Any ideas what i might check?
>
> You'll need to make your question much clearer. A server socket
> doesn't verify it's own certificate, that is something done by the
> client. Any certificate verification done by the server is of the
> chain provided by the client.
>
> Cheers
>
> Rich.
> _______________________________________________
> Interest mailing list
> Interest@qt-project.org
> http://lists.qt-project.org/mailman/listinfo/interest
>
_______________________________________________
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest
