PDA

View Full Version : QSslSocket and cipher problem



maggu2810
29th July 2011, 20:08
Hello!

I have a problem selecting a supported cipher suite and establish a SSL encrypted connection. So I created a exmaple do demonstrate the problem and the result confused me again.

The example created a server socket on port 9876 that should support all ciphers that are available on the system (result of static function QSslSocket::supportedCiphers()).
It uses "/tmp/mycert.key" and "/tmp/mycert.crt" for the key / private certificate.
You can create a sample one with:

openssl req -x509 -nodes -days 365 -subj '/C=DE/ST=Bavaria/L=Sample-City/CN=sampledomain' -newkey rsa:1024 -keyout /tmp/mycert.key -out /tmp/mycert.crt

The client and server SSL socket sets VerfiyNone for peer verification and using the SSLv3 protocol.

For each available cipher a socket is created, that supports only that one cipher, and an encryption connection to the server socket (that supports "all" ciphers") is initiated.

You will get a lot of debug output on stderr (qDebug, ...).

The debug output shows me:
- 49 ciphers are available
- 10 encrypted connections could be established
- 4 handshake errors occurred on client side
- 35 handshake errors occurred on server side

On command line you can give the execution mode. Use argument 's' if you want to start the server component or 'c' if you want to start the client component.

So first start the server mode:

./QtSslTest s 2>&1 | tee /tmp/server.log

and while the server is running, start the client mode:

./QtSslTest c 2>&1 | tee /tmp/client.log

I hope, someone could explain me, why "supported" ciphers could not be used to establish an encrypted connection.

Source code is attached.

ois
3rd August 2011, 20:39
Hello,

I have similar results on my system. The successful ciphers at first run are:
cipher name: AES256-SHA
cipher name: CAMELLIA256-SHA
cipher name: DES-CBC3-SHA
cipher name: AES128-SHA
cipher name: CAMELLIA128-SHA
cipher name: RC4-SHA
cipher name: RC4-MD5
cipher name: DES-CBC-SHA

Then i changed in SslTest/MySslServer.cpp the line "mpSslConf->setProtocol(QSsl::SslV3);" to
mpSslConf->setProtocol(QSsl::AnyProtocol);

and in SslTest/TestCipher.cpp the line "socket->setProtocol(QSsl::SslV3);" to
socket->setProtocol(QSsl::SslV2);

This results in following successful ciphers:
cipher name: DES-CBC3-MD5
cipher name: RC2-CBC-MD5
cipher name: RC4-MD5
cipher name: DES-CBC-MD5
cipher name: EXP-RC2-CBC-MD5
cipher name: EXP-RC4-MD5

So you see, some appear in both, some only in the first, some only in the second.
Protocol TlsV1 gives none successful on my system, but may on yours, as you say there are 10 successful in the first run, while there are only 8 on mine.

Try changing other settings of server- and client-settings, and other options during key-file-generation.

Greetings,
Spitl

maggu2810
11th August 2011, 08:08
Thank you.
But I found the problem and reported it (with a possible workaround / solution): https://bugreports.qt.nokia.com/browse/QTBUG-20666