-2

I'm trying to solve this problem for more than a day or even a week. I ask you to give me at least an idea or solution. Please do not give me links to the documentation, I have learned it by heart. Now the question:

QSslSocket * server = new QSslSocket();
server->setPrivateKey("my.key");
server->setLocalCertificate("my.crt");
server->startServerEncryption();
if(server->waitForEncrypted()) {
   ...
}

In this case I use a const key and certificate. I would like to receive information about the client's certificate and install it on the basis of different keys and certificates for the connection.

For example, the client was using the same certificate and I use the key that corresponds to this certificate.

I tried to use the method of peer Certificate (), but returns void.

How can I get information about the client's certificate, which he uses. Perhaps there is a way to pick up this certificate. How to do it?

tioo
  • 99
  • 1
  • 6
  • if you put a minus, please explain their actions. – tioo May 19 '14 at 19:02
  • 1
    And the title needs to be better - the actual question you're asking. – Michael Petrotta May 19 '14 at 19:05
  • @Andy I added the tag python, with robust that bad programmers who know C++ will be able to help me. Solution or idea is not language-dependent. – tioo May 19 '14 at 19:06
  • @MichaelPetrotta have you an idea to solve the problem? – tioo May 19 '14 at 19:09
  • 1
    @tioo: sadly, many people do not bother with explanation. I imagine they downvoted because of the original title which was a bit inappropriate. That being said, it is somewhat unclear what you are asking. Which documentation do you mean to have read? (Fwiw, I have not downvoted) – László Papp May 19 '14 at 21:14
  • Why do you say `peerCertificate()` returns void? – nobody May 20 '14 at 03:18
  • @AndrewMedico I tried to get a certificate thumbprint hash, which returns the peerCertificate(). The resulting hash does not match the hashes that are in the database. Other fields were empty. I do not know why. Client is the user's browser. – tioo May 20 '14 at 16:13

1 Answers1

1

In the TLS protocol, the server presents its certificate/identity before the client does, so there is no (standard) way to choose which server certificate to present based on the client certificate. Once the client presents its identity, the server certificate is already locked down.

The only TLS extension I can think of that you could use/abuse for what you're talking about is SNI, which would let the client request a hostname of its own choice (ie client A requests a response for cert_a.myserver.com, client B requests cert_b.myserver.com etc.) before the server presents its certificate, so the server can use that information to pick which certificate to present.

Implementing SNI in OpenSSL is not a trivial task, but there are some samples and stackoverflow questions to take a look at for help.

Community
  • 1
  • 1
Joachim Isaksson
  • 176,943
  • 25
  • 281
  • 294
  • I do not know how to translate these examples on Qt. – tioo May 20 '14 at 16:18
  • @tioo I _think_ that on the client side you just call `QSslSocket::setPeerVerifyName` with the desired hostname to have it use that as a desired hostname for SNI. – Joachim Isaksson May 20 '14 at 17:01
  • the client is a browser with installed certificates for sites. I do not have access to the source, but it should send the required data. The question is how to get the data you need? – tioo May 20 '14 at 17:10