1

I am new to ssl / networking and want to utilize mutal ssl ( client verifies server and server verifies peer) I found a white paper (http://www.infidigm.net/articles/qsslsocket_for_ssl_beginners/) online that gave me some guidance for setting up my certs and keys. Now this paper utilizes a local host ip address as the clients cert file. I want to switch this to a register domain name (scp.radiant.io). This FQDN is local to my ubuntu os for testing purposes

  1. updated my localhost to have a domianname (scp.radiant.io). by modifying this file sudo nano /etc/hosts/ to say 127.0.0.1 scp.radiant.io localhost

  2. Next I create certificate and private keys for both client and server

    a. Steps for gen certs example for server below. same commands are run for client to create client certs

openssl req -out server_ca.pem -new -x509 -nodes -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=$ORG_UNIT/CN=server/emailAddress=radiant.$EMAIL"

mv privkey.pem server_privatekey.pem

touch server_index.txt

echo "00" >> server_index.txt

openssl genrsa -out server_local.key 1024

openssl req -key ${NAME}_local.key -new -out server_local.req -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=$ORG_UNIT/CN=scp.radiant.io/emailAddress=$EMAIL"

openssl x509 -req -in ${NAME}_local.req -CA ${NAME}_ca.pem -CAkey server_privatekey.pem -CAserial server_index.txt -out server_local.pem

b. this generates a CaCerts (server_ca.pem and client_ca.pem)

c. this generates a Local Cert files (server_local.pem and client_local.pem).. THIS IS WHERE I SET FQDN to scp.radiant.io

d. this generate a LocalKey (server_local.key and client_local.key)

  1. I use the generated cert files for setting up the ssl configuration on the QSslSocket for both sides like so

       //client socket setup
     config.setPrivateKey("server_local.key");
     config.setLocalCertificate("server_local.pem");
     config.addCaCertificate("client_ca.pem");
     config.setPeerVerifyMode("QSslSocket::VerifyPeer");
     sslSocket->setSslConfiguration(config); 
     sslSocket->connectToHostEncrypted("scp.radiant.io",1200);

    // server socket setup
     config.setPrivateKey("client_local.key");
     config.setLocalCertificate("client_local.pem");
     config.addCaCertificate("server_ca.pem");
     config.setPeerVerifyMode("QSslSocket::VerifyPeer");
     sslSocket->setSslConfiguration(config); 
     sslSocket->startServerEncryption()

  2. When running this code i get the following error in my ssl errors. "The host name did not match any of the valid hosts for this certificate

  3. Now if I change the client socket to use this when connecting sslSocket->connectToHostEncrypted("scp.radiant.io",1200,"scp.radiant.io"); it will work.

I dont understand why I have to set the peerVerifyHost argument when connecting encrypted. I would like use the same certificates for my WebSockets implementation for this as well but the QWebSocket class does not allow you to set the peerverifyHost when connecting. So I must be doing something wrong at the cert level or the os level for my FQDN. any networking and ssl help would be helpful

pjorourke05
  • 61
  • 5

1 Answers1

0

I think you can ignore this error using "ignoreSslErrors" and let the handshake continue

Behrouz
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Feb 04 '23 at 03:27