Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-68419

Missing TLS-Alert on a handshake failure

    XMLWordPrintable

Details

    • Task
    • Resolution: Won't Do
    • P3: Somewhat important
    • None
    • 5.11.0
    • Network: SSL
    • None
    • e5438e8ded27eb6f7f0e85704d6843069296c698 (qt/qtbase/wip/cmake)

    Description

      When the TLS handshake fails, because of an unknown client certificate on the server side, the server should send an alert (handshake_failure(40) or certificate_unknown(46)).

      This is implemented by OpenSSL. But Qt uses OpenSSL in a wrong way returning 1 in the q_X509Callback all the time. OpenSSL will only generate the alert, when the return value is 0. Next problem is, that even with a returning 0, Qt does not send the generated alert and closes the socket immediately.

      See also https://github.com/openssl/openssl/issues/6294

      The use case is, to do a pairing with RSA-PSK, storing the client certificate on the server. Following connections will use (EC)DHE-RSA, while using the stored certificates as CA certificates on the server. The alert is needed to check that the pairing failed because of a missing certificate to delete the pairing on the client too.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            tpochep Timur Pocheptsov
            larss Lars Schmertmann
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes