PDA

View Full Version : SOAP Webservice with SSL Support: No certificates could be verified



anker
23rd January 2018, 16:14
Hello everybody,

i habe a problem with implementing the SSL Support for my SOAP Webservice Client. I testet my client with free (non-SSL-supported) Webservices an it worked. Now i want to add the SSL support and i fail when integrating the required certificates. I use the QNetworkAccessManager with a QNetworkRequest and i set QSslConfiguration::setDefaultConfiguration(l_sslCo nfig); to my configuration.

The used certificates are stored in "C:/certTest/" (CertEnterpriseCA02.pem , CertRootCA02.pem).

Installed software:
Qt-Version: 5.6.2
OpenSSL Build Version: 1.0.2g
OpenSSL Library Version: 1.0.2l



// PREPERATIONS
connect(m_networkAccessManager,SIGNAL(sslErrors(QN etworkReply*,QList<QSslError>)),this,SLOT(slot_sslErrorsSlot(QNetworkReply*,QLi st<QSslError>)));

QBuffer *l_buffer = this->prepareRequestBuffer();
QNetworkRequest l_request = this->prepareRequest();


// SSL CONFIG

QSslConfiguration l_sslConfig = QSslConfiguration::defaultConfiguration();

l_sslConfig.setProtocol(QSsl::TlsV1_0OrLater);
l_sslConfig.setSslOption(QSsl::SslOptionDisableSes sionTickets, true);
l_sslConfig.setSslOption(QSsl::SslOptionDisableCom pression, false);

QList<QSslCertificate> l_certs = l_sslConfig.caCertificates();

QDir l_caDir("C:/certTest/");
QStringList l_certFilenames = l_caDir.entryList();

for( int i=0; i<l_certFilenames.length(); i++)
{
if( l_certFilenames.at(i) != "." && l_certFilenames.at(i) != ".." )
{
QFile l_fileCert(l_caDir.absolutePath() + "/" + l_certFilenames.at(i));

if(!l_fileCert.open(QIODevice::ReadOnly))
{
qDebug() << "Cannot open CA certificate!";
}

QSslCertificate l_cert(&l_fileCert,QSsl::Pem);
l_fileCert.close();
l_certs.append(l_cert);
}
}

l_sslConfig.setCaCertificates(l_certs);

QSslConfiguration::setDefaultConfiguration(l_sslCo nfig);

// POST MESSAGE

QNetworkReply *l_reply = m_manager->post(l_request, l_buffer);


To verify the ssl error i connected the sslErrors(QNetworkReply*,QList<QSslError>) from the QNetworkAccessManager with one of my own slots. The errorstring of the QNetworkReply says the following:

"The issuer certificate of a locally looked up certificate could not be found"
"No certificates could be verified"

I obviously have a problem with the handshake of client and server and i think the reason is that qt cant find my certificates. Here is the communication observed by wireshark:



1823 962.621597 172.28.254.191 10.39.5.181 TLSv1.2 571 Client Hello
1824 962.660543 10.39.5.181 172.28.254.191 TCP 54 443 ? 61210 [ACK] Seq=1 Ack=518 Win=30336 Len=0
1825 962.664683 10.39.5.181 172.28.254.191 TLSv1.2 1420 Server Hello, Certificate
1826 962.664785 10.39.5.181 172.28.254.191 TLSv1.2 375 Server Key Exchange, Server Hello Done
1827 962.664811 172.28.254.191 10.39.5.181 TCP 54 61210 ? 443 [ACK] Seq=518 Ack=1688 Win=16384 Len=0
1828 962.667858 172.28.254.191 10.39.5.181 TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
1829 962.706037 10.39.5.181 172.28.254.191 TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message
1830 962.746854 172.28.254.191 10.39.5.181 TCP 54 61210 ? 443 [ACK] Seq=644 Ack=1739 Win=16128 Len=0
1831 962.748077 172.28.254.191 10.39.5.181 TCP 54 61210 ? 443 [FIN, ACK] Seq=644 Ack=1739 Win=16128 Len=0
1832 962.785958 10.39.5.181 172.28.254.191 TLSv1.2 85 Encrypted Alert

I read so much articles about qt and SSL support but there must be an error in my code. It would be great if someone could help me.

Thanks a lot.