Details
-
Task
-
Resolution: Won't Do
-
P3: Somewhat important
-
None
-
5.11.0
-
None
-
e5438e8ded27eb6f7f0e85704d6843069296c698 (qt/qtbase/wip/cmake)
Description
When the TLS handshake fails, because of an unknown client certificate on the server side, the server should send an alert (handshake_failure(40) or certificate_unknown(46)).
This is implemented by OpenSSL. But Qt uses OpenSSL in a wrong way returning 1 in the q_X509Callback all the time. OpenSSL will only generate the alert, when the return value is 0. Next problem is, that even with a returning 0, Qt does not send the generated alert and closes the socket immediately.
See also https://github.com/openssl/openssl/issues/6294
The use case is, to do a pairing with RSA-PSK, storing the client certificate on the server. Following connections will use (EC)DHE-RSA, while using the stored certificates as CA certificates on the server. The alert is needed to check that the pairing failed because of a missing certificate to delete the pairing on the client too.