SSL Problem

[roland8454]

I compiled Qt with OpenSSL, it works fine on most https sites , but when I tried to visit sites such as
https://login.yahoo.com
I get "SSL Handshake Failed" error.

I thought it's my program's problem, so I used the browser comes with Qt Demo, it's the same thing.

Any idea how to fix it? Thank you in advance.

Qt version: 4.5.1
OpenSSL version: 0.9.8.11

[roland8454]

I think I found the reason for handshake failure.

The default "QSslConfiguration::setPeerVerifyMode" in Qt is "AutoVerifyPeer". And those sites that are giving me problems don't have identity information in their certificate. Therefore the verification fails.

I guess the question now is how do I modify QSslConfiguration of a QNetworkAccessManager in QWebPage?

[srikanth_trulyit]

Hi,

Did you solve this issue. Im also facing the similar problem. Kindly post how do you set the sslconfiguration of qwebview

Thanks,
Srikanth

[sweeper]

Hi, all

I am writting some program which should connect to site using SSL. The site has right (not self-signed) certificate. But there are two problems (or, may be, one). The CA certificate is not wide-known certificate (in other words, the site uses chain certificate), and the site doesn't send them together. Indeed it is not a problem for browsers (they get site certificate with X509v3 Key Usage: Digital Signature, Key Encipherment, extract the Authority Information Access, and after that download the CA certificate with X509v3 Key Usage: Certificate Sign, CRL Sign).

So, the question: how can I get the same behaviour from my program? Whether I should use QSslSocket or I can manage the task using QNetworkAccessManager?

I tried to get the certificate list in sslError function, but I can not see the site certificate there, only root CA's from my host computer.

[nkbarbeque]

Hi, rolad8454

I face the same problem like you, have you got the solution for modify QSslConfiguration ..?

I tried call the function QSslConfiguration::setPeerVerifyMode(QSslSocket::V erifyNone), then I get the mode value, only to find the Mode is still the default value AutoVerifyPeer. It seems that the setPeerVerifyMode don't have any effect.

I think I found the reason for handshake failure.

The default "QSslConfiguration::setPeerVerifyMode" in Qt is "AutoVerifyPeer". And those sites that are giving me problems don't have identity information in their certificate. Therefore the verification fails.

I guess the question now is how do I modify QSslConfiguration of a QNetworkAccessManager in QWebPage?

[roland8454]

It's been a long time since I fixed that problem. I'm not quite sure exactly what I did. But I'm going to give it a try.

1. Make sure you build Qt with OpenSSL correctly following my instructions here:
http://www.rolandli.com/2009/05/22/b...t-with-openssl

2. I think what I did was reimplemented createRequest function in QNetworkAccess Manager

header file:

Qt Code:

Switch view

class myNetworkAccessManager : public QNetworkAccessManager
{
	Q_OBJECT
 
public:
	myNetworkAccessManager ();
 
protected:
	QNetworkReply * createRequest ( Operation op, const QNetworkRequest & req, QIODevice * outgoingData = 0 );
};

class myNetworkAccessManager : public QNetworkAccessManager
{
	Q_OBJECT

public:
	myNetworkAccessManager ();

protected:
	QNetworkReply * createRequest ( Operation op, const QNetworkRequest & req, QIODevice * outgoingData = 0 );
};

To copy to clipboard, switch view to plain text mode 

source file:

Qt Code:

Switch view

myNetworkAccessManager ::myNetworkAccessManager (){
}
 
QNetworkReply * myNetworkAccessManager ::createRequest ( Operation op, const QNetworkRequest & req, QIODevice * outgoingData ){
	QSslConfiguration config = req.sslConfiguration();
	config.setPeerVerifyMode(QSslSocket::VerifyNone);
	config.setProtocol(QSsl::TlsV1);
	QNetworkRequest request(req);
	request.setSslConfiguration(config);
	return QNetworkAccessManager::createRequest(op, request, outgoingData);
}

myNetworkAccessManager ::myNetworkAccessManager (){
}

QNetworkReply * myNetworkAccessManager ::createRequest ( Operation op, const QNetworkRequest & req, QIODevice * outgoingData ){
	QSslConfiguration config = req.sslConfiguration();
	config.setPeerVerifyMode(QSslSocket::VerifyNone);
	config.setProtocol(QSsl::TlsV1);
	QNetworkRequest request(req);
	request.setSslConfiguration(config);
	return QNetworkAccessManager::createRequest(op, request, outgoingData);
}

To copy to clipboard, switch view to plain text mode 

Hope this helps. Good luck!

[ventura]

This is what works for me.

class SslNetworkAccessManager : public QNetworkAccessManager
{
Q_OBJECT
public:
SslNetworkAccessManager();


protected:
QNetworkReply* createRequest(Operation op, const QNetworkRequest & req, QIODevice * outgoingData = 0);
};

And the implementation:


SslNetworkAccessManager::SslNetworkAccessManager()
{
}



QNetworkReply* SslNetworkAccessManager::createRequest(Operation op, const QNetworkRequest& req, QIODevice* outgoingData)
{
QNetworkReply* reply = QNetworkAccessManager::createRequest(op, req, outgoingData);
reply->ignoreSslErrors();
return reply;
}

[Software]

Hi All,

I am new in Qt programming, i need your help to resolve an issue.
I want to display certificate information of secured website in "Qt demo brower", for this i write code to display but i am unable to get "defaultCaCertificate", "caCertificate" and "peerCertificateChain".
Do we need any type of initilization before using these APIs ?

Every time when i call below code it retrive 0 items in dCaCertificates.
QList<QSslCertificate> dCaCertificates = QSslSocket::defaultCaCertificates();

But i am able to get system certificates using below code:
QList<QSslCertificate> sysCertificates = QSslSocket::systemCaCertificates();

Please help me, its urgent.

Regards,
Pranay

[Software]

Hi Pranay,

If you want to get and display certificate details in Qt demo browser, here is the code:
First of all to peerCertificateChain details, one can use the SLOT sslError, the argument within this SLOT named QNetworkReply have all the details of peerCertificateChain and peerCertificate.

void NetworkAccessManager::sslError(QNetworkReply *reply, const QList<QSslError> &error)
{
QList<QSslCertificate> peerCertificateChain = reply->sslConfiguration().peerCertificateChain();
}

Thanks & Regards,
Software

[zerokewl]

@10ventura
Just signed up to say thank-you for your Implementation of Subclassing QNetworkAccessManager, after doing that, this resolved my problem.

However my problem of getting "Invalid SSL Handshake" was when i tried moving my class which was using QNetworkAccessManager to another thread that subclassed QObject (for signals and slots) using className->moveToThread(threadName).

If i didn't move to another thread my SLOT to receive SSL Errors worked and was able to "reply->setIgnoreSSLErrors".

Regardless of the different situation,

Thank you again :-)


EDIT: After doing this i was able to receive a reply, however after receiving.. my connect(manager, SIGNAL(finished(QNetworkReply*)), manager, SLOT(deleteLater())); would cause my program to crash..
After removing the line, it doens't crash. Any thoughts?

2nd Edit: I use this new Subclass of QNetworkAccessManager by creating a new class every time i make new requests. Only the first time it is called, having the slot connected to delete the manager is it crashing the program, further on when a new instance of class is created, it connects and deletes the manager without crashing..

NetworkAccessManager *manager = new NetworkAccessManager();
//connect(manager, SIGNAL(finished(QNetworkReply*)), manager, SLOT(deleteLater())); //This line causes program to terminate/crash
connect(manager, SIGNAL(sslErrors(QNetworkReply*,QList<QSslError>)) , this, SLOT(sslErrors(QNetworkReply*,QList<QSslError>)));

..then later when i make another request
NetworkAccessManager *manager = new NetworkAccessManager();
connect(manager, SIGNAL(finished(QNetworkReply*)), this, SLOT(getAlbumCoverImageDataReply(QNetworkReply*))) ;
connect(manager, SIGNAL(finished(QNetworkReply*)), manager, SLOT(deleteLater())); //doesn't crash app?
connect(manager, SIGNAL(sslErrors(QNetworkReply*,QList<QSslError>)) , this, SLOT(sslErrors(QNetworkReply*,QList<QSslError>)));


Thanks.