QSslSocket hostname mismatch

**eleanor** · 5th May 2009, 07:38

Hi, I need to know why I get this error when authenticating with certificates:

"The host name did not match any of the valid hosts for this certificate"
"The root certificate of the certificate chain is self-signed, and untrusted"

The certificates that I created are:

server.crt

Qt Code:

Switch view

Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com
        Validity
            Not Before: May  4 23:42:50 2009 GMT
            Not After : May  2 23:42:50 2019 GMT
        Subject: C=SI, ST=Slovenia, L=Ljubljana, O=Server, OU=Server, CN=Server

Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com
        Validity
            Not Before: May  4 23:42:50 2009 GMT
            Not After : May  2 23:42:50 2019 GMT
        Subject: C=SI, ST=Slovenia, L=Ljubljana, O=Server, OU=Server, CN=Server

To copy to clipboard, switch view to plain text mode

client.crt

Qt Code:

Switch view

Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com
        Validity
            Not Before: May  4 23:43:01 2009 GMT
            Not After : May  2 23:43:01 2019 GMT
        Subject: C=SI, ST=Slovenia, L=Ljubljana, O=Client, OU=Client, CN=Client

Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com
        Validity
            Not Before: May  4 23:43:01 2009 GMT
            Not After : May  2 23:43:01 2019 GMT
        Subject: C=SI, ST=Slovenia, L=Ljubljana, O=Client, OU=Client, CN=Client

To copy to clipboard, switch view to plain text mode

ca.crt

Qt Code:

Switch view

Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com
        Validity
            Not Before: May  4 23:42:47 2009 GMT
            Not After : May  4 23:42:47 2029 GMT
        Subject: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com

Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com
        Validity
            Not Before: May  4 23:42:47 2009 GMT
            Not After : May  4 23:42:47 2029 GMT
        Subject: C=SI, ST=Slovenia, L=Ljubljana, O=CA, OU=CA, CN=test.com

To copy to clipboard, switch view to plain text mode

Both server certificate and client certificate are signed by the CA certificate. And CN=test.com is actually a valid hostname that can be resolved by DNS servers into an WAN IP.

Any ideas?

**wysota** · 5th May 2009, 08:25

Common name (CN) has to match the other side's IP and the certificate needs to be signed by a CA that is among those your operating system considers trusted and not by any CA. You can ignore those errors if you wish by connecting appropriate signal to appropriate slot in your application. It's all described in QSslSocket docs.

**eleanor** · 5th May 2009, 08:57

Doesn't CN match the IP...they are all test.com == so they are all the same (they have the same IP) ?

Also, if I create a CA cert and self sign it doesn't application trust it...it should.

Can you be more specific with this? Can you provide an example?

**wysota** · 5th May 2009, 09:06

Originally Posted by eleanor

Doesn't CN match the IP...they are all test.com == so they are all the same (they have the same IP) ?

$ host test.com
test.com has address 205.178.152.103

Is 205.178.152.103 your IP on all sides of the communication (client/server/ca)?

Also, if I create a CA cert and self sign it doesn't application trust it...it should.

No, it shouldn't.

Can you be more specific with this? Can you provide an example?

I'm not sure what example would you like me to provide

I can't teach you SSL in 5 minutes, take a book on SSL or read a tutorial to undestand why a self-signed CA can't be trusted (at least out of the box).

**eleanor** · 5th May 2009, 09:40

$ host test.com
test.com has address 205.178.152.103

Is 205.178.152.103 your IP on all sides of the communication (client/server/ca)?

Well how can I declare the certificate then...it's not possible for 205.178.152.103 to be the IP on all sides of the communication.

**wysota** · 5th May 2009, 21:08

Unless you have access to a real CA you won't be able to generate a fully valid certificate so it doesn't really matter what you place there. But if you want to be as close to a proper certificate as possible, you have to place a proper common name on the certificate and ignore the "self-signed certificate" warning. This is really not a place for an SSL tutorial, so searching for one might be a better idea than asking about it here.

**eleanor** · 9th May 2009, 19:00

Ok, I didn't find the solution to this problem, so I have a new question: what are the risks of ignoring this error...?

**wysota** · 11th May 2009, 17:48

Originally Posted by eleanor

what are the risks of ignoring this error...?

Vulnerability to "man in the middle" attacks but if you're not doing something that requires a strong protection, you can surely live with it, especially if you "hardcode" trust to some CA and use the same CA for generating every client (and server) certificate.