QsslSocket:无法访问其他对等方(服务器)上的对等方(客户端)证书
[英]QsslSocket: Cannot access peer (client) certificate on other peer (server)
问题描述
This is the follow-up to my original problem: Qt Server+Client App: encryption fails (updated with code) Also posted this to Qt Forums: http://qt-project.org/forums/viewthread/41293/ 
这是我最初的问题的后续解决方案: Qt Server + Client App:加密失败(使用代码更新)还将其发布到Qt论坛: http : //qt-project.org/forums/viewthread/41293/
Hi, 嗨,
my goal is establishing two-ways authentication for Server+Client apps. 我的目标是为Server + Client应用程序建立双向身份验证。 I am having a strange problem however. 我有一个奇怪的问题。 Using certificates generated by XCA and OpenSSL for testing purposes in my Server+Client apps using Qt 5.2.0. 使用Qt 5.2.0在我的Server + Client应用程序中将XCA和OpenSSL生成的证书用于测试目的。
Note: I do not use QSslSocket::ignoreSslErrors() to get past the errors. 注意:我不使用QSslSocket::ignoreSslErrors()来克服错误。
2 scenarios: 2种情况:
1) Client has valid clientCA, valid local certificate (signed by serverCA, client template) and valid private key set. 1)客户端具有有效的clientCA,有效的本地证书(由serverCA签名,客户端模板)和有效的私钥集。 Server has valid serverCA, valid local certificate (signed by clientCA, server template) and valid private key set. 服务器具有有效的serverCA,有效的本地证书(由clientCA签名,服务器模板)和有效的私钥集。
2) Client has valid clientCA. 2)客户具有有效的clientCA。 Server has valid local certificate (signed by clientCA, server template) and valid private key set. 服务器具有有效的本地证书(由clientCA,服务器模板签名)和有效的私钥集。
———————- --------
ad 1) 广告1)
I can establish secure connection fine but only if I set QSslSocket::peerVerifyMode to VerifyNone on server side (automatically VerifyPeer on the client). 我可以建立安全连接,但QSslSocket::peerVerifyMode是我必须在服务器端将QSslSocket::peerVerifyMode设置为VerifyNone (在客户端上自动执行VerifyPeer )。
If I do NOT do that I get assigned automatically VerifyPeer mode even though the socket is correctly evaluated as server side (checked SslMode for this). 如果我不这样做,即使套接字已正确地评估为服务器端(为此选中了SslMode ),我也将自动分配为VerifyPeer模式。 That is apparently contrary to the documentation as it says it should be automatically QueryPeer if the socket is server side. 这显然与文档相反,因为它说如果套接字是服务器端,则应该自动使用QueryPeer 。 However even setting the socket to QueryPeer manually does not help and the handshake fails the same as with VerifyPeer . 但是,即使手动将套接字设置为QueryPeer也无济于事,并且握手失败与VerifyPeer相同。
Now the error I get is: 现在我得到的错误是:
QSslError::CertificateSignatureFailed (4) “The signature of the certificate is invalid”
Inspecting the peer certificate on SSL error (and/or encrypted) on the server reveals that no certificate was presented by the peer (the peerCertificate() yields null certificate) so it is no wonder it fails with this error. 在服务器上检查SSL错误(和/或加密)的对等证书后,发现对等方未提供任何证书( peerCertificate()产生空证书),因此也难怪该错误会失败。 I cannot get the peer certificate on client side either in this case. 在这种情况下,我也无法在客户端获得对等证书。
BUT even if VerifyNone is set on server and encryption succeeds I still get the above mentioned error due to peer (client) not presenting its certificate despite the fact that it should NOT be requested in the first place. 但是即使在服务器上设置了VerifyNone并且加密成功,我仍然会遇到上述错误,原因是对等端(客户端)不提供其证书,尽管事实上不应首先请求它。 On client I can get peer (server) certificate in this case. 在这种情况下,我可以在客户端上获得对等(服务器)证书。
———————- --------
ad 2) 广告2)
This is documentation style scenario, that should be capable of one way authentication only (client authenticating the server). 这是文档样式的方案,应该只能以一种方式进行身份验证(客户端对服务器进行身份验证)。 In this case the peerVerifyMode is again selected as VerifyPeer on server by default. 在这种情况下,默认情况下再次将peerVerifyMode选择为服务器上的VerifyPeer 。
However peerVerifyMode does NOT have any effect on the handshake on server side! 但是peerVerifyMode对服务器端的握手没有任何影响! Even when set to VerifyPeer it succeeds despite the fact that client has not presented any certificates. 即使将其设置为VerifyPeer它VerifyPeer成功执行,尽管客户端没有提供任何证书。
No matter the setting of peerVerifyMode the error occurs the same as in #1 plus two new errors, therefore I get on server: 不管peerVerifyMode的设置如何, peerVerifyMode发生与#1相同的错误,外加两个新错误,因此我进入服务器:
QSslError::CertificateSignatureFailed (4) “The signature of the certificate is invalid”
QSslError::UnableToGetLocalIssuerCertificate (11) “The issuer certificate of a locally looked up certificate could not be found”
QSslError::UnableToVerifyFirstCertificate (12) “No certificates could be verified”
Despite these the SSL handshake succeeds regardless of peerVerifyMode on the server side. 尽管如此,无论服务器端是否peerVerifyMode ,SSL握手peerVerifyMode成功。 I get no errors on the client. 我在客户端上没有任何错误。 This once again is contrary to the documentation that clearly states that in case of ANY SSL error the connection is dropped unless they are ignored. 这再次与文档明确指出,如果出现任何SSL错误,除非忽略它们,否则连接将被丢弃。
——————————————— ---------------
I do not understand this behaviour nor how to fix it since I am fairly sure the certificates are ok (the test handshake using the openssl.exe succeeds with verify return code 0 (Ok)). 我不了解此行为,也不了解如何解决此问题,因为我相当确定证书是可以的(使用openssl.exe的测试握手成功,并且验证返回码为0(Ok))。 It seems to me that the settings of peerVerifyMode is often ignored though and that in some cases errors are automatically ignored as well. 在我看来, peerVerifyMode的设置通常会被忽略,并且在某些情况下也会自动忽略错误。 Since they are related to unsent (or not received) peer (client) certificate on the server side I can understand it but not if the peerVerifyMode is set to VerifyPeer . 由于它们与服务器端未发送(或未接收到)的对等(客户端)证书有关,因此我可以理解,但是如果peerVerifyMode设置为VerifyPeer 。
Can anybody help? 有人可以帮忙吗? Thank you! 谢谢!
1 个解决方案
解决方案1
0 已采纳 2014-04-10 17:50:37
I have been able to solve this issue in unusual way. 我已经能够以不同寻常的方式解决此问题。 It was caused by bug in Qt, I think this one https://bugreports.qt-project.org/browse/QTBUG-7200 since it matched the symptoms of my latest attempts (same error in Qt while openssl succeeded in verifying the certificates etc.). 这是由Qt中的错误引起的,我认为这是一个https://bugreports.qt-project.org/browse/QTBUG-7200,因为它与我最新尝试的症状相符(openssl成功验证证书时Qt中出现了相同错误)等等。)。
Update from 5.2.0 to 5.3.0-beta solved it (bug was apparently solved in 5.2.2). 从5.2.0更新到5.3.0-beta解决了它(错误在5.2.2中显然得到解决)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.