articles-logo

QSslSocket for SSL Beginners

articles-logo

As an avid Qt user, the biggest challenge I faced with using QSslSockets was having little to no experience with ssl certificates. A QSslSocket can give you an encrypted TCP socket without adding any ssl certificates. If you have a server using a QSslSocket and want to authenticate the client, or you are client and you want to authenticate the server, or both, you need to add ssl certificates.

Generating SSL certificates for use with QSslSocket

Create two CA certificates, a red one and a blue one. Red and Blue are just arbitrary names to distinguish the certificates. blue_ca.pem will be used on the server and red_ca.pem will be used on the client.

openssl req -out blue_ca.pem -new -x509 -nodes
mv privkey.pem blue_privkey.pem
openssl req -out red_ca.pem -new -x509 -nodes
mv privkey.pem red_privkey.pem

Next create two files called blue_index.txt and red_index.txt. Open them in a text editor and place two zero digits at their beginnings. Eg. 00

Next create local certificate/key pairs derived from the CA certificates. When entering the info for red_local.req, be sure that the FQDN matches the IP address / host name of the server. The example uses local host 127.0.0.1

openssl genrsa -out blue_local.key 1024
openssl req -key blue_local.key -new -out blue_local.req
openssl x509 -req -in blue_local.req -CA blue_ca.pem -CAkey blue_privkey.pem -CAserial blue_index.txt -out blue_local.pem

openssl genrsa -out red_local.key 1024
openssl req -key red_local.key -new -out red_local.req
openssl x509 -req -in red_local.req -CA red_ca.pem -CAkey red_privkey.pem -CAserial red_index.txt -out red_local.pem

blue_local.pem and red_local.pem are the local certificates and red_local.key and blue_local.key are their associated private keys. blue_local will be used on the client and red_local will be used on the server. (opposed to the CAs)

Note: One gotcha I ran into is that the info entered into each certificate must be different from certificate to certificate or strange things happen.

Using the certificates for Authentication

QSslSocket has apis for adding both kinds of certificates, CA and local, and the local certificate's associated key.

addCaCertificate() for the CA certificate.

setLocalCertificate() for the local certificate.

setPrivateKey() for the private key for the local certificate.

Now the tricky part. Lets look at three examples......

Server performing Client Authentication

Example code and summery of differences....

Server

Client

Client performing Server Authentication

Example code and summery of differences....

Server

Client

Both Client and Server Authentication

Example code and summery of differences....

Server

Client



March 2018