Details
-
Suggestion
-
Resolution: Out of scope
-
P4: Low
-
4.3.0
-
None
Description
QSslSocket - Differ client certificate/key set
What I did:
When working as a client, current implementation require the developer to know in advance if the server requires client authentication and which client certificate/key to use.
This is not valid approach for interactive applications, for example a browser, that needs to open connection with a server, not knowing that it will request a client certificate, and which chain it accepts.
What I expected to see:
I expect to see a clientCertificateRequet signal to be raised, so that the user may:
1. Examine peerCertificateChain ()
2. Enumerate available valid local certificates.
3. Call setLocalCertificate(), setPrivateKey ()
4. Return so that the negotiation may proceed.
Of course the developer may not set certificate at this point, so the negotiation will continue without client certificate. This is VALID state, since the server may require optional client certificate.
What I got instead:
No way to set client certificate during negotiation.
This is extremely important for browser implementation, since as it is now current behavior cannot be implemented.
More info:
OpenSSL API that may help you:
1. SSL_CTX_get_app_data()/SSL_CTX_set_app_data() - allow get/set (this) into the context.
2. SSL_CTX_get_client_cert_cb/SSL_CTX_set_client_cert_cb - allow get/set client certificate callback, this will be called during negotiation if client certificate is requested.
Attachments
Issue Links
- relates to
-
-
- Closed
-