PDA

View Full Version : QSslSocket hostname mismatch



eleanor
5th May 2009, 08:38
Hi, I need to know why I get this error when authenticating with certificates:


"The host name did not match any of the valid hosts for this certificate"
"The root certificate of the certificate chain is self-signed, and untrusted"

The certificates that I created are:

server.crt


Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com
Validity
Not Before: May 4 23:42:50 2009 GMT
Not After : May 2 23:42:50 2019 GMT
Subject: C=SI, ST=Slovenia, L=Ljubljana, O=Server, OU=Server, CN=Server


client.crt


Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com
Validity
Not Before: May 4 23:43:01 2009 GMT
Not After : May 2 23:43:01 2019 GMT
Subject: C=SI, ST=Slovenia, L=Ljubljana, O=Client, OU=Client, CN=Client


ca.crt


Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com
Validity
Not Before: May 4 23:42:47 2009 GMT
Not After : May 4 23:42:47 2029 GMT
Subject: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com


Both server certificate and client certificate are signed by the CA certificate. And CN=test.com is actually a valid hostname that can be resolved by DNS servers into an WAN IP.

Any ideas?

wysota
5th May 2009, 09:25
Common name (CN) has to match the other side's IP and the certificate needs to be signed by a CA that is among those your operating system considers trusted and not by any CA. You can ignore those errors if you wish by connecting appropriate signal to appropriate slot in your application. It's all described in QSslSocket docs.

eleanor
5th May 2009, 09:57
Doesn't CN match the IP...they are all test.com == so they are all the same (they have the same IP) ?

Also, if I create a CA cert and self sign it doesn't application trust it...it should.

Can you be more specific with this? Can you provide an example?

wysota
5th May 2009, 10:06
Doesn't CN match the IP...they are all test.com == so they are all the same (they have the same IP) ?
$ host test.com
test.com has address 205.178.152.103

Is 205.178.152.103 your IP on all sides of the communication (client/server/ca)?


Also, if I create a CA cert and self sign it doesn't application trust it...it should.
No, it shouldn't.


Can you be more specific with this? Can you provide an example?

I'm not sure what example would you like me to provide :) I can't teach you SSL in 5 minutes, take a book on SSL or read a tutorial to undestand why a self-signed CA can't be trusted (at least out of the box).

eleanor
5th May 2009, 10:40
$ host test.com
test.com has address 205.178.152.103

Is 205.178.152.103 your IP on all sides of the communication (client/server/ca)?


Well how can I declare the certificate then...it's not possible for 205.178.152.103 to be the IP on all sides of the communication.

wysota
5th May 2009, 22:08
Unless you have access to a real CA you won't be able to generate a fully valid certificate so it doesn't really matter what you place there. But if you want to be as close to a proper certificate as possible, you have to place a proper common name on the certificate and ignore the "self-signed certificate" warning. This is really not a place for an SSL tutorial, so searching for one might be a better idea than asking about it here.

eleanor
9th May 2009, 20:00
Ok, I didn't find the solution to this problem, so I have a new question: what are the risks of ignoring this error...?

wysota
11th May 2009, 18:48
what are the risks of ignoring this error...?

Vulnerability to "man in the middle" attacks but if you're not doing something that requires a strong protection, you can surely live with it, especially if you "hardcode" trust to some CA and use the same CA for generating every client (and server) certificate.