Results 1 to 3 of 3

Thread: QSslCertificate not populating Subject Alternative Names

  1. #1
    Join Date
    Sep 2015
    Posts
    4
    Qt products
    Qt5
    Platforms
    Unix/X11 Windows

    Default QSslCertificate not populating Subject Alternative Names

    I am getting SSL Handshake Errors making a request due to the SAN not being read from the certificate. In the on_SSLErrors, I dump out the peer certificate. using cert.toPem(), I decode it at https://www.sslshopper.com/certificate-decoder.html. This shows the Subject Alternateive Names. But in the cert in QT, I get an empty map from cert.subjectAlternativeNames().

    my dumpCert function:

    Qt Code:
    1. void MyRequest::dumpCertificate( const QSslCertificate &cert )
    2. {
    3. qDebug() << cert.toPem();
    4.  
    5. qDebug() << "== Subject Info ==\b";
    6. qDebug() << "CommonName: " << cert.subjectInfo( QSslCertificate::CommonName );
    7. qDebug() << "Organization: " << cert.subjectInfo( QSslCertificate::Organization );
    8. qDebug() << "LocalityName: " << cert.subjectInfo( QSslCertificate::LocalityName );
    9. qDebug() << "OrganizationalUnitName: " << cert.subjectInfo( QSslCertificate::OrganizationalUnitName );
    10. qDebug() << "StateOrProvinceName: " << cert.subjectInfo( QSslCertificate::StateOrProvinceName );
    11.  
    12. QMultiMap<QSsl::AlternativeNameEntryType, QString> altNames = cert.subjectAlternativeNames();
    13. if ( !altNames.isEmpty() ) {
    14. qDebug() << "Subject Alternate Names (DNS):";
    15. foreach (const QString &altName, altNames.values(QSsl::DnsEntry)) {
    16. qDebug() << altName;
    17. }
    18.  
    19. qDebug() << "Alternate Subject Names (Email):";
    20. foreach (const QString &altName, altNames.values(QSsl::EmailEntry)) {
    21. qDebug() << altName;
    22. }
    23. }
    24. else {
    25. qDebug() << "No Subject Alternate Names";
    26. }
    27.  
    28.  
    29. qDebug() << "\n== Issuer Info ==";
    30. qDebug() << "CommonName: " << cert.issuerInfo( QSslCertificate::CommonName );
    31. qDebug() << "Organization: " << cert.issuerInfo( QSslCertificate::Organization );
    32. qDebug() << "LocalityName: " << cert.issuerInfo( QSslCertificate::LocalityName );
    33. qDebug() << "OrganizationalUnitName: " << cert.issuerInfo( QSslCertificate::OrganizationalUnitName );
    34. qDebug() << "StateOrProvinceName: " << cert.issuerInfo( QSslCertificate::StateOrProvinceName );
    35.  
    36. qDebug() << "\n== Certificate ==";
    37. qDebug() << "Serial Number: " << cert.serialNumber();
    38. qDebug() << "Effective Date: " << cert.effectiveDate().toString();
    39. qDebug() << "Expiry Date: " << cert.expiryDate().toString();
    40. }
    To copy to clipboard, switch view to plain text mode 

  2. #2
    Join Date
    Sep 2015
    Posts
    4
    Qt products
    Qt5
    Platforms
    Unix/X11 Windows

    Default Re: QSslCertificate not populating Subject Alternative Names

    Parsing the extensions I get:

    DEBUG 2015-09-18T10:52:21.234 "Exentensions: 4"
    DEBUG 2015-09-18T10:52:21.234 "\"basicConstraints\" IsSupported: true"
    DEBUG 2015-09-18T10:52:21.234 "\"keyUsage\" IsSupported: false"
    DEBUG 2015-09-18T10:52:21.234 "\"extendedKeyUsage\" IsSupported: false"
    DEBUG 2015-09-18T10:52:21.234 "\"subjectAltName\" IsSupported: false"

    So this means that Subject Alternative Names isn't supported. How do I enable support for this?


    Added after 44 minutes:


    It seems that the SAN in the cert looks like this:

    Subject Alternative Names: IP Address:127.0.0.1, IP Address:10.8.0.1, IP Address:174.36.209.157

    Could it be that it isn't returning anything because

    Qt Code:
    1. QMultiMap<QSsl::AlternativeNameEntryType, QString> altNames = cert.subjectAlternativeNames();
    To copy to clipboard, switch view to plain text mode 


    Is expecting one of these:

    Qt Code:
    1. enum AlternativeNameEntryType {
    2. EmailEntry,
    3. DnsEntry
    4. };
    To copy to clipboard, switch view to plain text mode 


    Added after 54 minutes:


    I downloaded their source to see how they were populating the SAN stuff. Apparently, they only populate it if it is a DNS or Email entry. I found a sample cert online to parse to test this. I was right:

    Qt Code:
    1. DEBUG 2015-09-18T12:34:04.894 "Subject Alternate Names (DNS):"
    2. DEBUG 2015-09-18T12:34:04.897 "\"uat-apas.sait.ca\""
    3. DEBUG 2015-09-18T12:34:04.897 "\"uat-integration.sait.ca\""
    4. DEBUG 2015-09-18T12:34:04.898 "\"cp-uat.sait.ca\""
    5. DEBUG 2015-09-18T12:34:04.898 "\"cp.sait.ca\""
    6. DEBUG 2015-09-18T12:34:04.898 "\"sait.ca\""
    7. DEBUG 2015-09-18T12:34:04.898 "\"*.sait.ca\""
    8. DEBUG 2015-09-18T12:34:04.898 "Alternate Subject Names (Email):"
    To copy to clipboard, switch view to plain text mode 

    Thoughts? Do I just add the IP as a DNS entry in our certs?
    Last edited by jeremiah; 18th September 2015 at 17:56.

  3. #3
    Join Date
    Sep 2015
    Posts
    4
    Qt products
    Qt5
    Platforms
    Unix/X11 Windows

    Default Re: QSslCertificate not populating Subject Alternative Names

    I added the IP address to a DNS entry in the SAN. I no longer get the SSLHAndShake errors.

Similar Threads

  1. QSslCertificate returns NULL in Windows Server 2008 R2
    By plopes21 in forum Qt Programming
    Replies: 3
    Last Post: 18th January 2013, 11:24
  2. i need an example of Qsslcertificate....
    By k.qasempour in forum Newbie
    Replies: 2
    Last Post: 17th June 2012, 09:52
  3. Populating, signals and comboboxes
    By ShamusVW in forum Newbie
    Replies: 6
    Last Post: 12th August 2010, 06:43
  4. Value in QSslCertificate::serialNumber ()
    By samhain in forum Qt Programming
    Replies: 0
    Last Post: 8th March 2010, 07:58
  5. undeclared QSslCertificate
    By labaga in forum Newbie
    Replies: 5
    Last Post: 3rd December 2008, 09:30

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Digia, Qt and their respective logos are trademarks of Digia Plc in Finland and/or other countries worldwide.