Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-19828

Qt should issue a signal when server requests a SSL client authentication

    XMLWordPrintable

Details

    Description

      Client authentication is not really supported in Qt now. A local soft certificate can be installed, but first problem, it can be only one single client certificate, and second problem, this one only without certificate chain (for chain, see http://bugreports.qt.nokia.com/browse/QTBUG-19825). Third problem, the certificate must be decoded (pin/password must be set) and installed in SSL defaults, even before a connection is opened.

      That's not how it should work.

      Instead, in all other browsers, such as firefox, etc., first the server requests a client authentication, then the browser (or the user) looks for a matching certificates, the browser then asks the user which one should be used (at least if more than one matching certificate is found), then certificate is presented to the server and the pin/password is used to unlock the private key, then finally the server sends a secret to be signed with the private key for the authentication.

      In Qt we have these problems:
      1. certificate and private key must be unlocked and installed in advance
      2. that means, i have to ask the user for the pin/password even he never browses to a server that asks for a client certificate
      3. even if a user has more than one client certificates, he can use only one at a time
      4. Cryptoky/PKCS#11 hardware tokens only work with a dirty trick, when I cast the private key's handle() to RSA* and set a callback method for sign
      5. when the callback is issued, I cannot see, which URL requires authentication

      Suggested solution:

      Qt should introduce a new signal similar to authenticationRequired() with the following parameters:

      • in QNetworkReply*
      • in Realm
      • out private key: QSslKey
      • out user certificate chain: QList<QSslCertificate>

      Idea:

      • QAuthenticator could be extended so that it can not only take a username/password, but also a certificate/private-key
        → e.g. by extending the QAuthenticator::option with ...
        1. ... a flag, whether username/password or certificate/key is required and ...
        2. ... a setPrivateKey/setCertificateChain option.

      This solution would fit straight forward into Qt philosophy.

      Attachments

        Issue Links

          duplicates

          Suggestion - Public suggestions QTBUG-8405 Make QSslSocket emit a signal if the server requests that the client identify itself with a certificate

          • P3: Somewhat important - Should be fixed, but doesn't affect the release in any way.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-30597 Properly support self-signed and client certificates with WebSockets

          • P3: Somewhat important - Should be fixed, but doesn't affect the release in any way.
          • Closed
          replaces

          Suggestion - Public suggestions QTBUG-8405 Make QSslSocket emit a signal if the server requests that the client identify itself with a certificate

          • P3: Somewhat important - Should be fixed, but doesn't affect the release in any way.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              Unassigned Unassigned
              mrw Marc Wäckerlin
              Votes:
              3 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes