Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-33228

Incomplete client certificate chain results in TLS handshake failure

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2: Important
    • Resolution: Done
    • Affects Version/s: 4.6.2
    • Fix Version/s: 5.3.0
    • Component/s: Network: SSL
    • Labels:
      None
    • Commits:
      5773a5cd50fac6d7348805f785df0cf29f4388b9

      Description

      The failure is caused by the way OpenSSL construct the client certificate chain before sending it to the server, and how Qt handles verification errors in its callback. If OpenSSL cannot complete the chain, TLS connections fail with an error message, "The issuer certificate of a locally looked up certificate could not be found".

      In QSslSocketBackendPrivate::initSslContext() in qsslsocket_openssl.cpp, Qt registers a callback:

      // Register a custom callback to get all verification errors.
      X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback);

      In ssl3_output_cert_chain() in s3_both.c, OpenSSL verifies the client certificate:

      if (!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,x,NULL))

      { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB); return(0); }

      X509_verify_cert(&xs_ctx);
      /* Don't leave errors in the queue */
      ERR_clear_error();

      X509_verify_cert() is only called to complete the chain as far as possible, and the intent is to ignore verification errors. But the side effects of the Qt-registered callbacks persist, leading to the failure.

      Related mailing list discussions:

      http://marc.info/?t=137604275300009&r=1&w=2 (on openssl-users)
      http://lists.qt-project.org/pipermail/development/2013-August/012423.html

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              Assignee:
              richmoore Richard Moore (qtnetwork)
              Reporter:
              fweimer Florian Weimer
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes