QSslSocket hostname mismatch
Hi, I need to know why I get this error when authenticating with certificates:
Quote:
"The host name did not match any of the valid hosts for this certificate"
"The root certificate of the certificate chain is self-signed, and untrusted"
The certificates that I created are:
server.crt
Code:
Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com
Validity
Not Before: May 4 23:42:50 2009 GMT
Not After : May 2 23:42:50 2019 GMT
Subject: C=SI, ST=Slovenia, L=Ljubljana, O=Server, OU=Server, CN=Server
client.crt
Code:
Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com
Validity
Not Before: May 4 23:43:01 2009 GMT
Not After : May 2 23:43:01 2019 GMT
Subject: C=SI, ST=Slovenia, L=Ljubljana, O=Client, OU=Client, CN=Client
ca.crt
Code:
Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com
Validity
Not Before: May 4 23:42:47 2009 GMT
Not After : May 4 23:42:47 2029 GMT
Subject: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com
Both server certificate and client certificate are signed by the CA certificate. And CN=test.com is actually a valid hostname that can be resolved by DNS servers into an WAN IP.
Any ideas?
Re: QSslSocket hostname mismatch
Common name (CN) has to match the other side's IP and the certificate needs to be signed by a CA that is among those your operating system considers trusted and not by any CA. You can ignore those errors if you wish by connecting appropriate signal to appropriate slot in your application. It's all described in QSslSocket docs.
Re: QSslSocket hostname mismatch
Doesn't CN match the IP...they are all test.com == so they are all the same (they have the same IP) ?
Also, if I create a CA cert and self sign it doesn't application trust it...it should.
Can you be more specific with this? Can you provide an example?
Re: QSslSocket hostname mismatch
Quote:
Originally Posted by
eleanor
Doesn't CN match the IP...they are all test.com == so they are all the same (they have the same IP) ?
$ host test.com
test.com has address 205.178.152.103
Is 205.178.152.103 your IP on all sides of the communication (client/server/ca)?
Quote:
Also, if I create a CA cert and self sign it doesn't application trust it...it should.
No, it shouldn't.
Quote:
Can you be more specific with this? Can you provide an example?
I'm not sure what example would you like me to provide :) I can't teach you SSL in 5 minutes, take a book on SSL or read a tutorial to undestand why a self-signed CA can't be trusted (at least out of the box).
Re: QSslSocket hostname mismatch
Quote:
$ host test.com
test.com has address 205.178.152.103
Is 205.178.152.103 your IP on all sides of the communication (client/server/ca)?
Well how can I declare the certificate then...it's not possible for 205.178.152.103 to be the IP on all sides of the communication.
Re: QSslSocket hostname mismatch
Unless you have access to a real CA you won't be able to generate a fully valid certificate so it doesn't really matter what you place there. But if you want to be as close to a proper certificate as possible, you have to place a proper common name on the certificate and ignore the "self-signed certificate" warning. This is really not a place for an SSL tutorial, so searching for one might be a better idea than asking about it here.
Re: QSslSocket hostname mismatch
Ok, I didn't find the solution to this problem, so I have a new question: what are the risks of ignoring this error...?
Re: QSslSocket hostname mismatch
Quote:
Originally Posted by
eleanor
what are the risks of ignoring this error...?
Vulnerability to "man in the middle" attacks but if you're not doing something that requires a strong protection, you can surely live with it, especially if you "hardcode" trust to some CA and use the same CA for generating every client (and server) certificate.
