QSslSocket for SSL Beginners |
As an avid Qt user, the biggest challenge I faced with using QSslSockets was having little to no experience with ssl certificates. A QSslSocket can give you an encrypted TCP socket without adding any ssl certificates. If you have a server using a QSslSocket and want to authenticate the client, or you are client and you want to authenticate the server, or both, you need to add ssl certificates.
Create two CA certificates, a red
one and a blue
one. Red and Blue are just arbitrary names to distinguish the certificates. blue_ca.pem will be used on the server and red_ca.pem will be used on the client.
openssl req -out blue_ca.pem -new -x509 -nodes
mv privkey.pem blue_privkey.pem
openssl req -out red_ca.pem -new -x509 -nodes
mv privkey.pem red_privkey.pem
Next create two files called blue_index.txt and red_index.txt. Open them in a text editor and place two zero digits at their beginnings. Eg. 00
Next create local certificate/key pairs derived from the CA certificates. When entering the info for red_local.req, be sure that the FQDN matches the IP address / host name of the server. The example uses local host 127.0.0.1
openssl genrsa -out blue_local.key 2048
openssl req -key blue_local.key -new -out blue_local.req
openssl x509 -req -in blue_local.req -CA blue_ca.pem -CAkey blue_privkey.pem -CAserial blue_index.txt -out blue_local.pem
openssl genrsa -out red_local.key 2048
openssl req -key red_local.key -new -out red_local.req
openssl x509 -req -in red_local.req -CA red_ca.pem -CAkey red_privkey.pem -CAserial red_index.txt -out red_local.pem
blue_local.pem and red_local.pem are the local certificates and red_local.key and blue_local.key are their associated private keys. blue_local will be used on the client and red_local will be used on the server. (opposed to the CAs)
Note: One gotcha I ran into is that the info entered into each certificate must be different from certificate to certificate or strange things happen.
QSslSocket has apis for adding both kinds of certificates, CA and local, and the local certificate's associated key.
addCaCertificate() for the CA certificate.
setLocalCertificate() for the local certificate.
setPrivateKey() for the private key for the local certificate.
Now the tricky part. Lets look at three examples......
Example code and summery of differences....
Server
Client
Example code and summery of differences....
Server
Client
Example code and summery of differences....
Server
Client