Details
-
Task
-
Resolution: Won't Do
-
P3: Somewhat important
-
None
-
5.11.0
-
None
-
e5438e8ded27eb6f7f0e85704d6843069296c698 (qt/qtbase/wip/cmake)
Description
When the TLS handshake fails, because of an unknown client certificate on the server side, the server should send an alert (handshake_failure(40) or certificate_unknown(46)).
This is implemented by OpenSSL. But Qt uses OpenSSL in a wrong way returning 1 in the q_X509Callback all the time. OpenSSL will only generate the alert, when the return value is 0. Next problem is, that even with a returning 0, Qt does not send the generated alert and closes the socket immediately.
See also https://github.com/openssl/openssl/issues/6294
The use case is, to do a pairing with RSA-PSK, storing the client certificate on the server. Following connections will use (EC)DHE-RSA, while using the stored certificates as CA certificates on the server. The alert is needed to check that the pairing failed because of a missing certificate to delete the pairing on the client too.
Attachments
| For Gerrit Dashboard: QTBUG-68419 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 279576,29 | QSslSocket (OpenSSL) improve alert messages handling | dev | qt/qtbase | Status: MERGED | +2 | 0 |
| 279902,3 | QSslSocket (OpenSSL) improve alert messages handling | dev | qt/qtbase | Status: ABANDONED | 0 | 0 |
| 287021,2 | Use the new functions/signals introduced in QSslSocket | dev | qt/qtwebsockets | Status: MERGED | +2 | 0 |