Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-73605

Optionally using client certificate with HTTPs does not work as expected

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Not Evaluated
    • Resolution: Won't Do
    • Affects Version/s: 5.9.3, 5.12.1
    • Fix Version/s: None
    • Component/s: Network: HTTP, Network: SSL
    • Labels:
      None
    • Environment:
      macOS 10.14, xcode 10.1
    • Platform/s:
      macOS

      Description

      So we have an application server (apache). We started to add client side certificates to check some operations. We use exactly 1 QNAM for the whole application. It seems that once you start an http request the configuration can get mixed up.

      In the following example, I'm doing a simple GET and then a POST with client certificate. But from the server I'm getting that the client is not sending its certificate.

      If we don't do the initial GET, the POST works exactly as expected. My first suspicion was that this was due to keep-alive because reusing the same tls connection to the server could potentially have that effect but even disabling it does not help.

      The only workaround I found was to use 2 different QNAM (1 for the client cert and the other one for the requests that don't require a client certificate).

      Is that a use-case that you are planning on supporting in the future?

       

      Here is the code. To reproduce you'll have to setup an http server, with 1 non protected url and 1 protected url and have a client certificate setup as well.

       

       #include <QtCore>
      #include <QtNetwork>
      
      
      int main(int argc, char **argv)
      {
          QCoreApplication app(argc, argv);
          qWarning() << "START";
      
      
          QNetworkAccessManager mgr;
      
      
          QFile keyFile("/private/var/FWBooster/booster.key");
          keyFile.open(QIODevice::ReadOnly);
          QSslKey key(&keyFile, QSsl::Ec);
          QFile certFile("/private/var/FWBooster/booster.crt");
          certFile.open(QIODevice::ReadOnly);
          QSslCertificate cert(&certFile);
      
      
          //problem here (change the value to 1 to avoid the call
          if (argc > 0) {
              QNetworkReply *reply = mgr.get(QNetworkRequest(QUrl("https://tb.filewave.ch:20443")));
              QObject::connect(reply, &QNetworkReply::finished, []() {
                  qWarning() << "FINISHED GET";
              });
          }
      
      
          QNetworkRequest req(QUrl("https://tb.filewave.ch:20443/auth/client/certificate_renewal"));
          QSslConfiguration conf = QSslConfiguration::defaultConfiguration();
          conf.setLocalCertificate(cert);
          conf.setPrivateKey(key);
          req.setSslConfiguration(conf);
      
      
          QNetworkReply *reply = mgr.post(req, QByteArray());
          QObject::connect(reply, &QNetworkReply::finished, [reply]() {
              qWarning() << "FINISHED" << reply->errorString();
          });
      
      
          return app.exec();
      }
      
      
      

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            • Assignee:
              tpochep Timur Pocheptsov
              Reporter:
              thierryb Thierry Bastian
            • Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Gerrit Reviews

                There are no open Gerrit changes