Hi Richard, thanks for your example, i'll try it soon. However, the error message i get happens when the client presents the certificate and server report it as "untrusted". Still i do not understand, if ignoreSslError is never called, why the connection is not dropped?
On Sat, Mar 2, 2013 at 4:49 PM, Richard Moore <r...@kde.org> wrote: > Okay, that's a lot clearer. Unfortunately, the documentation here is > both confusing and arguably wrong. When operating as a server socket, > it is not required to do anything with the sslErrors(). I've thrown > together a little example here: > > https://gitorious.org/qt-examples/qt-examples/trees/master/sslserver > > As you can see I don't touch the ssl errors at all (though you're > correct that they're being emitted). When operating as a server > socket, you only need to deal with SSL errors when you're requesting a > client certificate (ie using QSslSocket::VerifyPeer). If we look at > the documentation for the verify mode we see this: > > "The default mode is AutoVerifyPeer, which tells QSslSocket to use > VerifyPeer for clients and QueryPeer for servers." > > This leads me to suspect that the SSL errors that are being emitted > are in fact due to the fact that client isn't presenting a certificate > (QueryPeer says it asks for, but does not require one), rather than to > do with the server chain at all. If I modify my example to dump the > errors, then connect to the server like this: > > openssl s_client -connect localhost:4433 -key ca.key -cert ca.crt > > Then the errors I see are actually those resulting from the key I've > provided with the openssl command line rather than those for the > server chain itself. I'll look into this a little further, but I think > that it's the correct explanation. > > Regards > > Rich. > > On 27 February 2013 09:35, Francesco Lamonica <alienpeng...@gmail.com> > wrote: > > Hello Rich, > > > > thanks for your answer > > > > i'll add a bit of code to make things clearer :) > > > > > > Upon connection the socket fires onSslErrors() SLOT and there i see the > > "untrusted / self-signed cert" error message. > > In the slot i never siwtch to the codepaths where ignoreSslErrors() is > > invoked. > > > > Can you point me what i am doing wrong? > > > > thanks > > > > /*! > > \brief we overload the virtual QTcpServer::incomingConnection(int) > method > > in order to start the SSL Encryption > > */ > > void > > SslServer::incomingConnection(int socketDescriptor) > > { > > //qDebug() << "############### server reports ssl socket on > descriptor: > > " << socketDescriptor; > > QSslSocket *serverSocket = new QSslSocket; > > qDebug() << "using ssl socket at address " << serverSocket; > > if (serverSocket->setSocketDescriptor(socketDescriptor)) { > > qDebug() << "Incoming connection from " << > > serverSocket->peerAddress().toString() << ":" << > serverSocket->peerPort(); > > connect(serverSocket, SIGNAL(encrypted()), this, SLOT(ready())); > > connect(serverSocket, > > > SIGNAL(error(QAbstractSocket::SocketError)),this,SLOT(onTcpError(QAbstractSocket::SocketError))); > > connect(serverSocket, > > > SIGNAL(sslErrors(QList<QSslError>)),this,SLOT(onSslErrors(QList<QSslError>))); > > serverSocket->setLocalCertificate(m_ServerConfig.certfile, > QSsl::Pem); > > serverSocket->setPrivateKey(m_ServerConfig.keyfile, QSsl::Rsa, > > QSsl::Pem, "srv_certificate"); > > > > if(!serverSocket->localCertificate().isValid()) { > > *m_flogger << UNQL::LOG_CRITICAL << "Invalid certificate " << > > m_ServerConfig.certfile << UNQL::eom; > > *m_clogger << UNQL::LOG_CRITICAL << "Invalid certificate " << > > m_ServerConfig.certfile << UNQL::eom; > > } > > if(serverSocket->privateKey().isNull()) { > > *m_flogger << UNQL::LOG_CRITICAL << "Invalid private key > (NULL)" << > > m_ServerConfig.keyfile << UNQL::eom; > > *m_clogger << UNQL::LOG_CRITICAL << "Invalid private key > (NULL)" << > > m_ServerConfig.keyfile << UNQL::eom; > > } > > > > qDebug() << serverSocket->privateKey(); > > qDebug() << serverSocket->localCertificate(); > > serverSocket->startServerEncryption(); > > > > #if (QT_VERSION > 0x040700) > > this->addPendingConnection(serverSocket); //this does not work with > qt > > < 4.7 > > #else > > m_sslSocketQ.enqueue(serverSocket); > > #endif > > } else { > > delete serverSocket; > > } > > } > > > > void SslServer::onSslErrors(QList<QSslError> aErrorList) > > { > > qDebug() << "ssl error " << aErrorList; > > QList<QSslError> errorsToIgnore; > > > > foreach (QSslError se, aErrorList) { > > qDebug() << se.errorString(); > > *m_flogger << UNQL::LOG_CRITICAL << "Server reports SSL error: " > << > > se.errorString() << UNQL::eom; > > *m_clogger << UNQL::LOG_CRITICAL << "Server reports SSL error: " > << > > se.errorString() << UNQL::eom; > > if (se.error()==QSslError::SelfSignedCertificate || > > se.error()==QSslError::SelfSignedCertificateInChain) > > { > > if (m_ServerConfig.allowUntrustedCerts) { > > qDebug() << "Cert is SelfSigned... but we're ok with > > that..."; > > *m_flogger << UNQL::LOG_INFO << "Client certificate is > > untrusted but we're ok with that" << UNQL::eom; > > *m_clogger << UNQL::LOG_INFO << "Client certificate is > > untrusted but we're ok with that" << UNQL::eom; > > errorsToIgnore << se; > > } > > } > > } > > QSslSocket *sslsock = (QSslSocket*) sender(); > > if (m_ServerConfig.ignoreSslErrors) { > > *m_flogger << UNQL::LOG_WARNING << "There were SSL errors but > server > > is configured to ignore them all" << UNQL::eom; > > *m_clogger << UNQL::LOG_WARNING << "There were SSL errors but > server > > is configured to ignore them all" << UNQL::eom; > > sslsock->ignoreSslErrors(); > > } > > else { > > *m_flogger << UNQL::LOG_WARNING << "Ignoring some SSL errors..." > << > > UNQL::eom; > > *m_clogger << UNQL::LOG_WARNING << "Ignoring some SSL errors..." > << > > UNQL::eom; > > if (errorsToIgnore.count()>0) > > sslsock->ignoreSslErrors(errorsToIgnore); > > } > > qDebug() << "socket is encrypted: " << sslsock->isEncrypted(); > > } > > > > > > On Sat, Feb 23, 2013 at 4:54 PM, Richard Moore <r...@kde.org> wrote: > >> > >> On 21 February 2013 18:32, Francesco Lamonica <alienpeng...@gmail.com> > >> wrote: > >> > i've implemented a simple SslServer inheriting from QTcpServer and > >> > overriding the incomingConnection() as suggested from the > documentation. > >> > However i am stumbling on a strange problem: QSslSocket fires > correctly > >> > the > >> > sslErrors() signal for a "self-signed certificate" but even though i > do > >> > not > >> > call ignoreSslErrors() at any time the connection is not dropped (as > it > >> > said > >> > it should on the docs) > >> > Any ideas what i might check? > >> > >> You'll need to make your question much clearer. A server socket > >> doesn't verify it's own certificate, that is something done by the > >> client. Any certificate verification done by the server is of the > >> chain provided by the client. > >> > >> Cheers > >> > >> Rich. > >> _______________________________________________ > >> Interest mailing list > >> Interest@qt-project.org > >> http://lists.qt-project.org/mailman/listinfo/interest > > > > >
_______________________________________________ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
