If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.
Welcome to Qt Centre.

Qt Centre is a community site devoted to programming in C++ using the Qt framework. Over 90 percent of questions asked here gets answered. If you are looking for information about Qt related issue — register and post your question.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact us.

Results 1 to 2 of 2

Thread: Qt and TLSv1.3 with PSK

Thread Tools
- Show Printable Version
Search Thread
- Advanced Search
Display
- Switch to Linear Mode
- Switch to Hybrid Mode
- Threaded Mode

Threaded View

Previous Post

Next Post

8th August 2021, 13:16 #1

bibhukalyana

bibhukalyana is offline

Intermediate user

Qt and TLSv1.3 with PSK

Hi Everyone,

Now I am trying to write a sample server and client application which will use TLSv1.3 with PSK based authentication.
But it is failing during handshake process. During client Hello PSK identity/key is not shared from client side and this is causing the issue.

Error on server is:

Qt Code:

Switch view

Error during SSL handshake: error:14201076:SSL routines:tls_choose_sigalg:no suitable signature algorithm" local:  "tcps://127.0.0.1:xxxxx/"  remote:  "tcps://127.0.0.1:xxxxx/"  peer verify name:  ""

Error during SSL handshake: error:14201076:SSL routines:tls_choose_sigalg:no suitable signature algorithm" local:  "tcps://127.0.0.1:xxxxx/"  remote:  "tcps://127.0.0.1:xxxxx/"  peer verify name:  ""

To copy to clipboard, switch view to plain text mode

Client code:

Qt Code:

Switch view

QSslConfiguration sslConfiguration;
sslConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone);
//sslConfiguration.setProtocol(QSsl::TlsV1_3); //not required default will be TLSv1.3
 
sslSocket.setSslConfiguration(sslConfiguration);
 
QObject::connect(&sslSocket, &QSslSocket::preSharedKeyAuthenticationRequired,
                        this,
                        [](QSslPreSharedKeyAuthenticator* authenticator)
                        {
                              authenticator->setIdentity("xxxx");
                              authenticator->setPreSharedKey(QByteArrayLiteral("xxxx"));
                        }
                        , Qt::DirectConnection);
 
sslSocket.connectToHostEncrypted("127.0.0.1", 1234);
if (!sslSocket.waitForEncrypted()) {
     qDebug() << sslSocket.errorString();
}

QSslConfiguration sslConfiguration;
sslConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone);
//sslConfiguration.setProtocol(QSsl::TlsV1_3); //not required default will be TLSv1.3

sslSocket.setSslConfiguration(sslConfiguration);

QObject::connect(&sslSocket, &QSslSocket::preSharedKeyAuthenticationRequired,
                        this,
                        [](QSslPreSharedKeyAuthenticator* authenticator)
                        {
                              authenticator->setIdentity("xxxx");
                              authenticator->setPreSharedKey(QByteArrayLiteral("xxxx"));
                        }
                        , Qt::DirectConnection);

sslSocket.connectToHostEncrypted("127.0.0.1", 1234);
if (!sslSocket.waitForEncrypted()) {
     qDebug() << sslSocket.errorString();
}

To copy to clipboard, switch view to plain text mode

server code:

Qt Code:

Switch view

QSslSocket* sslSocket = qobject_cast<QSslSocket*>(nextPendingConnection()); //just added for reference. it will be part of SSLQTcpServer
 
QSslConfiguration sslConfiguration;
sslConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone);
//sslConfiguration.setProtocol(QSsl::TlsV1_3); //not required default will be TLSv1.3
 
connect(sslSocket, &QSslSocket::preSharedKeyAuthenticationRequired, 
             this,
             [](QSslPreSharedKeyAuthenticator* authenticator)
             {
                    //QByteArray expectedClientId { xxxxx };
                   if (expectedClientId == authenticator->identity())
                   {
                        authenticator->setPreSharedKey(QByteArrayLiteral(xxxx));
                    }
             }, Qt::DirectConnection);
 
sslSocket->setSslConfiguration(sslConfiguration);
sslSocket->startServerEncryption();

QSslSocket* sslSocket = qobject_cast<QSslSocket*>(nextPendingConnection()); //just added for reference. it will be part of SSLQTcpServer

QSslConfiguration sslConfiguration;
sslConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone);
//sslConfiguration.setProtocol(QSsl::TlsV1_3); //not required default will be TLSv1.3

connect(sslSocket, &QSslSocket::preSharedKeyAuthenticationRequired, 
             this,
             [](QSslPreSharedKeyAuthenticator* authenticator)
             {
                    //QByteArray expectedClientId { xxxxx };
                   if (expectedClientId == authenticator->identity())
                   {
                        authenticator->setPreSharedKey(QByteArrayLiteral(xxxx));
                    }
             }, Qt::DirectConnection);

sslSocket->setSslConfiguration(sslConfiguration);
sslSocket->startServerEncryption();

To copy to clipboard, switch view to plain text mode

I tried a lot to figure out the error. But did not get anything. Then I looked into the Qt source code to know what is happening.
I found for TLSv1.3 'q_SSL_set_psk_use_session_callback' is used to register the PSK callback.

Qt Code:

Switch view

//qsslsocket_openssl.cpp
#if OPENSSL_VERSION_NUMBER >= 0x10101006L
    // Set the client callback for TLSv1.3 PSK
    if (mode == QSslSocket::SslClientMode
        && QSslSocket::sslLibraryBuildVersionNumber() >= 0x10101006L) {
        q_SSL_set_psk_use_session_callback(ssl, &q_ssl_psk_use_session_callback); // <--
    }
#endif // openssl version >= 0x10101006L

//qsslsocket_openssl.cpp
#if OPENSSL_VERSION_NUMBER >= 0x10101006L
    // Set the client callback for TLSv1.3 PSK
    if (mode == QSslSocket::SslClientMode
        && QSslSocket::sslLibraryBuildVersionNumber() >= 0x10101006L) {
        q_SSL_set_psk_use_session_callback(ssl, &q_ssl_psk_use_session_callback); // <--
    }
#endif // openssl version >= 0x10101006L

To copy to clipboard, switch view to plain text mode

and inside 'q_ssl_psk_use_session_callback' 'q_SSL_set_psk_client_callback' is used to register 'q_ssl_psk_restore_client'.
'q_ssl_psk_restore_client' again used 'q_SSL_set_psk_client_callback' to register 'q_ssl_psk_client_callback'.

Qt Code:

Switch view

//q_ssl_psk_use_session_callback()
 
    // Temporarily rebind the psk because it will be called next. The function will restore it.
    q_SSL_set_psk_client_callback(ssl, &q_ssl_psk_restore_client); // <--
 
    return 1; // need to return 1 or else "the connection setup fails."

//q_ssl_psk_use_session_callback()

    // Temporarily rebind the psk because it will be called next. The function will restore it.
    q_SSL_set_psk_client_callback(ssl, &q_ssl_psk_restore_client); // <--

    return 1; // need to return 1 or else "the connection setup fails."

To copy to clipboard, switch view to plain text mode

Qt Code:

Switch view

//q_ssl_psk_restore_client()
 
    q_SSL_set_psk_client_callback(ssl, &q_ssl_psk_client_callback);

//q_ssl_psk_restore_client()

    q_SSL_set_psk_client_callback(ssl, &q_ssl_psk_client_callback);

To copy to clipboard, switch view to plain text mode

As per my understanding:
During handshake process openssl will call 'q_ssl_psk_use_session_callback' and then it will call 'q_ssl_psk_restore_client' as a fallback. But still it will not get the actual key and it will ignore.

In 'q_ssl_psk_use_session_callback' method instead of 'q_ssl_psk_restore_client' if ' q_ssl_psk_client_callback' is registered then everything will work as expected.

So now I want to know
Is my understanding correct and it is a bug in Qt? If not then what is missing in my side? How can I fix it?

I am using Qt 5.15.2 and it is built with openssl version "OpenSSL 1.1.1g". OS is Ubuntu 18.04.

Thanks,
Bibhu

Reply With Quote

Reply With Quote

Quick Navigation Qt Programming Top

« Previous Thread | Next Thread »

Similar Threads

Using of SSLv2 / TLSv1 protocols

By PatMooc in forum Qt Programming

Replies: 0
Last Post: 5th September 2020, 14:25
Using of SSLv2 / TLSv1 protocols

By PatMooc in forum Qt Programming

Replies: 0
Last Post: 3rd September 2020, 12:38

Tags for this Thread

psk, tlsv1.3

Bookmarks

Bookmarks

Posting Permissions

You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
[VIDEO] code is On
HTML code is Off

All times are GMT +1. The time now is 22:17.

Powered by vBulletin Version 4.2.5 Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.,

© 2006–2017 Qt Centre - The Ultimate Qt Community site

Digia, Qt and their respective logos are trademarks of Digia Plc in Finland and/or other countries worldwide.