Details
-
Suggestion
-
Resolution: Done
-
P3: Somewhat important
-
5.9, 5.12
-
None
-
Qt-5.9.7
Linux
-
-
58c9c4b60991d2665aef29c5981591391524e108
Description
tried as client to connect to a websocket server via wss. In the URL I entered the IP-address of the server (172.18.12.211)
Everytime I got the error:
SSL Error: The host name did not match any of the valid hosts for this certificate
I looked inside the server certificate but everything seemed OK to me:
X509v3 Subject Alternative Name:
IP Address:FE80:0:0:0:316D:360F:7CCF:23FB, IP Address:172.18.12.211, DNS:*.domain.com, DNS:localhost
So I had a look at the Qt sources, especially qtbase/src/network/ssl/qsslsocket.cpp:
There I could see, that it is searched for DNS entries in the Subject "Aternative Name" in a Ceritificate, but not for IP Address.
{{}}
bool QSslSocketPrivate::isMatchingHostname(const QSslCertificate &cert, const QString &peerName) { const QString lowerPeerName = QString::fromLatin1(QUrl::toAce(peerName)); const QStringList commonNames = cert.subjectInfo(QSslCertificate::CommonName); for (const QString &commonName : commonNames) { if (isMatchingHostname(commonName, lowerPeerName)) return true; } const auto subjectAlternativeNames = cert.subjectAlternativeNames(); const auto altNames = **subjectAlternativeNames.equal_range(QSsl::DnsEntry);** for (auto it = altNames.first; it != altNames.second; ++it) { if (isMatchingHostname(*it, lowerPeerName)) return true; } return false; }
{{}}
Since "IP Address" is a valid entry in the Subject "Aternative Name" of a Ceritificate, I'm wondering, why this is not considered in the Qt sources?
Attachments
Issue Links
- is duplicated by
-
QTBUG-72863 Websocket client can not connect with server by IP adress
- Closed