maggu2810
29th July 2011, 19:08
Hello!
I have a problem selecting a supported cipher suite and establish a SSL encrypted connection. So I created a exmaple do demonstrate the problem and the result confused me again.
The example created a server socket on port 9876 that should support all ciphers that are available on the system (result of static function QSslSocket::supportedCiphers()).
It uses "/tmp/mycert.key" and "/tmp/mycert.crt" for the key / private certificate.
You can create a sample one with:
openssl req -x509 -nodes -days 365 -subj '/C=DE/ST=Bavaria/L=Sample-City/CN=sampledomain' -newkey rsa:1024 -keyout /tmp/mycert.key -out /tmp/mycert.crt
The client and server SSL socket sets VerfiyNone for peer verification and using the SSLv3 protocol.
For each available cipher a socket is created, that supports only that one cipher, and an encryption connection to the server socket (that supports "all" ciphers") is initiated.
You will get a lot of debug output on stderr (qDebug, ...).
The debug output shows me:
- 49 ciphers are available
- 10 encrypted connections could be established
- 4 handshake errors occurred on client side
- 35 handshake errors occurred on server side
On command line you can give the execution mode. Use argument 's' if you want to start the server component or 'c' if you want to start the client component.
So first start the server mode:
./QtSslTest s 2>&1 | tee /tmp/server.log
and while the server is running, start the client mode:
./QtSslTest c 2>&1 | tee /tmp/client.log
I hope, someone could explain me, why "supported" ciphers could not be used to establish an encrypted connection.
Source code is attached.
I have a problem selecting a supported cipher suite and establish a SSL encrypted connection. So I created a exmaple do demonstrate the problem and the result confused me again.
The example created a server socket on port 9876 that should support all ciphers that are available on the system (result of static function QSslSocket::supportedCiphers()).
It uses "/tmp/mycert.key" and "/tmp/mycert.crt" for the key / private certificate.
You can create a sample one with:
openssl req -x509 -nodes -days 365 -subj '/C=DE/ST=Bavaria/L=Sample-City/CN=sampledomain' -newkey rsa:1024 -keyout /tmp/mycert.key -out /tmp/mycert.crt
The client and server SSL socket sets VerfiyNone for peer verification and using the SSLv3 protocol.
For each available cipher a socket is created, that supports only that one cipher, and an encryption connection to the server socket (that supports "all" ciphers") is initiated.
You will get a lot of debug output on stderr (qDebug, ...).
The debug output shows me:
- 49 ciphers are available
- 10 encrypted connections could be established
- 4 handshake errors occurred on client side
- 35 handshake errors occurred on server side
On command line you can give the execution mode. Use argument 's' if you want to start the server component or 'c' if you want to start the client component.
So first start the server mode:
./QtSslTest s 2>&1 | tee /tmp/server.log
and while the server is running, start the client mode:
./QtSslTest c 2>&1 | tee /tmp/client.log
I hope, someone could explain me, why "supported" ciphers could not be used to establish an encrypted connection.
Source code is attached.