[英]QsslSocket: Cannot access peer (client) certificate on other peer (server)
This is the follow-up to my original problem: Qt Server+Client App: encryption fails (updated with code) Also posted this to Qt Forums: http://qt-project.org/forums/viewthread/41293/ 这是我最初的问题的后续解决方案: Qt Server + Client App:加密失败(使用代码更新)还将其发布到Qt论坛: http : //qt-project.org/forums/viewthread/41293/
Hi, 嗨,
my goal is establishing two-ways authentication for Server+Client apps. 我的目标是为Server + Client应用程序建立双向身份验证。 I am having a strange problem however.
我有一个奇怪的问题。 Using certificates generated by XCA and OpenSSL for testing purposes in my Server+Client apps using Qt 5.2.0.
使用Qt 5.2.0在我的Server + Client应用程序中将XCA和OpenSSL生成的证书用于测试目的。
Note: I do not use QSslSocket::ignoreSslErrors()
to get past the errors. 注意:我不使用
QSslSocket::ignoreSslErrors()
来克服错误。
2 scenarios: 2种情况:
1) Client has valid clientCA, valid local certificate (signed by serverCA, client template) and valid private key set. 1)客户端具有有效的clientCA,有效的本地证书(由serverCA签名,客户端模板)和有效的私钥集。 Server has valid serverCA, valid local certificate (signed by clientCA, server template) and valid private key set.
服务器具有有效的serverCA,有效的本地证书(由clientCA签名,服务器模板)和有效的私钥集。
2) Client has valid clientCA. 2)客户具有有效的clientCA。 Server has valid local certificate (signed by clientCA, server template) and valid private key set.
服务器具有有效的本地证书(由clientCA,服务器模板签名)和有效的私钥集。
———————- --------
ad 1) 广告1)
I can establish secure connection fine but only if I set QSslSocket::peerVerifyMode
to VerifyNone
on server side (automatically VerifyPeer
on the client). 我可以建立安全连接,但
QSslSocket::peerVerifyMode
是我必须在服务器端将QSslSocket::peerVerifyMode
设置为VerifyNone
(在客户端上自动执行VerifyPeer
)。
If I do NOT do that I get assigned automatically VerifyPeer
mode even though the socket is correctly evaluated as server side (checked SslMode
for this). 如果我不这样做,即使套接字已正确地评估为服务器端(为此选中了
SslMode
),我也将自动分配为VerifyPeer
模式。 That is apparently contrary to the documentation as it says it should be automatically QueryPeer
if the socket is server side. 这显然与文档相反,因为它说如果套接字是服务器端,则应该自动使用
QueryPeer
。 However even setting the socket to QueryPeer
manually does not help and the handshake fails the same as with VerifyPeer
. 但是,即使手动将套接字设置为
QueryPeer
也无济于事,并且握手失败与VerifyPeer
相同。
Now the error I get is: 现在我得到的错误是:
QSslError::CertificateSignatureFailed (4) “The signature of the certificate is invalid”
Inspecting the peer certificate on SSL error (and/or encrypted) on the server reveals that no certificate was presented by the peer (the peerCertificate()
yields null certificate) so it is no wonder it fails with this error. 在服务器上检查SSL错误(和/或加密)的对等证书后,发现对等方未提供任何证书(
peerCertificate()
产生空证书),因此也难怪该错误会失败。 I cannot get the peer certificate on client side either in this case. 在这种情况下,我也无法在客户端获得对等证书。
BUT even if VerifyNone
is set on server and encryption succeeds I still get the above mentioned error due to peer (client) not presenting its certificate despite the fact that it should NOT be requested in the first place. 但是即使在服务器上设置了
VerifyNone
并且加密成功,我仍然会遇到上述错误,原因是对等端(客户端)不提供其证书,尽管事实上不应首先请求它。 On client I can get peer (server) certificate in this case. 在这种情况下,我可以在客户端上获得对等(服务器)证书。
———————- --------
ad 2) 广告2)
This is documentation style scenario, that should be capable of one way authentication only (client authenticating the server). 这是文档样式的方案,应该只能以一种方式进行身份验证(客户端对服务器进行身份验证)。 In this case the
peerVerifyMode
is again selected as VerifyPeer
on server by default. 在这种情况下,默认情况下再次将
peerVerifyMode
选择为服务器上的VerifyPeer
。
However peerVerifyMode
does NOT have any effect on the handshake on server side! 但是
peerVerifyMode
对服务器端的握手没有任何影响! Even when set to VerifyPeer
it succeeds despite the fact that client has not presented any certificates. 即使将其设置为
VerifyPeer
它VerifyPeer
成功执行,尽管客户端没有提供任何证书。
No matter the setting of peerVerifyMode
the error occurs the same as in #1 plus two new errors, therefore I get on server: 不管
peerVerifyMode
的设置如何, peerVerifyMode
发生与#1相同的错误,外加两个新错误,因此我进入服务器:
QSslError::CertificateSignatureFailed (4) “The signature of the certificate is invalid”
QSslError::UnableToGetLocalIssuerCertificate (11) “The issuer certificate of a locally looked up certificate could not be found”
QSslError::UnableToVerifyFirstCertificate (12) “No certificates could be verified”
Despite these the SSL handshake succeeds regardless of peerVerifyMode
on the server side. 尽管如此,无论服务器端是否
peerVerifyMode
,SSL握手peerVerifyMode
成功。 I get no errors on the client. 我在客户端上没有任何错误。 This once again is contrary to the documentation that clearly states that in case of ANY SSL error the connection is dropped unless they are ignored.
这再次与文档明确指出,如果出现任何SSL错误,除非忽略它们,否则连接将被丢弃。
——————————————— ---------------
I do not understand this behaviour nor how to fix it since I am fairly sure the certificates are ok (the test handshake using the openssl.exe
succeeds with verify return code 0 (Ok)). 我不了解此行为,也不了解如何解决此问题,因为我相当确定证书是可以的(使用
openssl.exe
的测试握手成功,并且验证返回码为0(Ok))。 It seems to me that the settings of peerVerifyMode
is often ignored though and that in some cases errors are automatically ignored as well. 在我看来,
peerVerifyMode
的设置通常会被忽略,并且在某些情况下也会自动忽略错误。 Since they are related to unsent (or not received) peer (client) certificate on the server side I can understand it but not if the peerVerifyMode
is set to VerifyPeer
. 由于它们与服务器端未发送(或未接收到)的对等(客户端)证书有关,因此我可以理解,但是如果
peerVerifyMode
设置为VerifyPeer
。
Can anybody help? 有人可以帮忙吗? Thank you!
谢谢!
I have been able to solve this issue in unusual way. 我已经能够以不同寻常的方式解决此问题。 It was caused by bug in Qt, I think this one https://bugreports.qt-project.org/browse/QTBUG-7200 since it matched the symptoms of my latest attempts (same error in Qt while openssl succeeded in verifying the certificates etc.).
这是由Qt中的错误引起的,我认为这是一个https://bugreports.qt-project.org/browse/QTBUG-7200,因为它与我最新尝试的症状相符(openssl成功验证证书时Qt中出现了相同错误)等等。)。
Update from 5.2.0 to 5.3.0-beta solved it (bug was apparently solved in 5.2.2). 从5.2.0更新到5.3.0-beta解决了它(错误在5.2.2中显然得到解决)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.