Re: [Interest] macOS: troubles using my own CA
Alexander, I cannot thank you enough for sharing your discovery! This problem has driven me nuts for about a year now. Thanks so much for sharing! Dan > On Jul 19, 2022, at 3:52 PM, Alexander Dyagilev wrote: > > // This avoids using the default keychain for SSL, which may cause > // password prompts on macOS. > qputenv("QT_SSL_USE_TEMPORARY_KEYCHAIN", "1"); ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] macOS: troubles using my own CA
Hello, Accidentally, found the solution for this issue: |// This avoids using the default keychain for SSL, which may cause // password prompts on macOS. qputenv("QT_SSL_USE_TEMPORARY_KEYCHAIN", "1");| On 7/12/2022 11:21 AM, Alexander Dyagilev wrote: Hello, I'm on macOS Big Sur 11.5.1. First, I must say, that there are NO problems when I use Qt 6.3.0. But, I HAVE TO use Qt 5.12.12, so please if anyone know something that can help - please help :) I have my own server, written on Qt, on SSL sockets, with my own CA certificate. I install it using QSslConfiguration::setCaCertificates({myCaCert}). I don't use it widely, only for the socket which is to communicate with my server. All is working fine under Windows/Linux/Android. But, when it comes to macOS, I'm getting this socket error (when connecting to my server): "the root ca certificate is not trusted for this purpose". OK, I've made my own security check function as a workaround, which calls ignoreSslErrors(). And it started to work. BUT. My question is not about this. I've got a second problem after this: While I launch the same binary - all is OK. But if I modify it (so this would happen for our users after we update our app next time), I'm getting this strange message: Again, if, after that, I build app using Qt 6.3.0 and launch it - this message never appears. So, this must be an issue with Qt 5.12. What I want to ask for: is there any known workaround to suppress this message under Qt 5.12.12? ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] macOS: troubles using my own CA
> On 14. Jul 2022, at 10:19, Alexander Dyagilev wrote: > > Yes, I've removed my own OpenSSL libraries built for macOS and Qt 6.3.0 > switched to SecureTransport and also started to show that message. > > So: > > Qt 5.12 : uses SecureTransport ALWAYS. > > Qt 6.3 : defaults to OpenSSL, if available. Falls back to SecureTransport if > not. > > So. Is there a way to force Qt 5.12 to use OpenSSL instead of > SecureTransport? :) I've tried googling but did not find answer.our At least if you are willing to build your own Qt, these should do the trick: configure … -no-securetransport -openssl-runtime or configure … -no-securetransport -openssl-linked You’ll probably have to bundle OpenSSL to be sure to have it available, in the right version, on all macOS versions you need to support, so -openssl-linked might be the way to go. — Frank Gonçalves Osterfeld | frank.osterf...@kdab.com | Senior Software Engineer & Teamlead KDAB (Deutschland) GmbH, a KDAB Group Company Tel: +49-30-521325470 KDAB - The Qt, C++ and OpenGL Experts ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] macOS: troubles using my own CA
Yes, I've removed my own OpenSSL libraries built for macOS and Qt 6.3.0 switched to SecureTransport and also started to show that message. So: Qt 5.12 : uses SecureTransport ALWAYS. Qt 6.3 : defaults to OpenSSL, if available. Falls back to SecureTransport if not. So. Is there a way to force Qt 5.12 to use OpenSSL instead of SecureTransport? :) I've tried googling but did not find answer. On 7/14/2022 11:09 AM, Alexander Dyagilev wrote: On 7/12/2022 11:14 PM, Frank Osterfeld via Interest wrote: SecureTransport is deprecated by Apple, but the backend is still the default in 6.3. So unless Alexander explicitly enabled OpenSSL for one or the other, it wouldn’t expect big changes here. Ha-ha, I've just checked - Qt 6.3 uses OpenSSL, not SecureTransport! That's why it's working, that's why that stupid message from macOS is never shown under Qt 6.3! So, is there a way to use OpenSSL instead of SecureTransport on Qt 5.12.12 ? ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] macOS: troubles using my own CA
On 7/12/2022 11:14 PM, Frank Osterfeld via Interest wrote: SecureTransport is deprecated by Apple, but the backend is still the default in 6.3. So unless Alexander explicitly enabled OpenSSL for one or the other, it wouldn’t expect big changes here. Ha-ha, I've just checked - Qt 6.3 uses OpenSSL, not SecureTransport! That's why it's working, that's why that stupid message from macOS is never shown under Qt 6.3! So, is there a way to use OpenSSL instead of SecureTransport on Qt 5.12.12 ? ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] macOS: troubles using my own CA
On 7/12/2022 11:14 PM, Frank Osterfeld via Interest wrote: From what I know, SecureTransport is the default used on macOS since Qt 5.10.0 (running configure in 5.10.0 qtbase seems to confirm this). Yes, it seems your are right. SecureTransport is deprecated by Apple, but the backend is still the default in 6.3. So unless Alexander explicitly enabled OpenSSL for one or the other, it wouldn’t expect big changes here. I did not. How can I force Qt to use OpenSSL on macOS? I've tried to put OpenSSL libraries into Frameworks folder, but that did not help. — Frank Gonçalves Osterfeld | frank.osterf...@kdab.com | Senior Software Engineer & Teamlead KDAB (Deutschland) GmbH, a KDAB Group Company Tel: +49-30-521325470 KDAB - The Qt, C++ and OpenGL Experts ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] macOS: troubles using my own CA
Hello, I think you are wrong. Qt 5.12.12: QSslSocket::sslLibraryVersionString reports that it's Secure Transport. On 7/12/2022 9:05 PM, Thiago Macieira wrote: Qt 6.3 uses a completely different implementation of SSL on a Mac from 5.x. It uses the Apple API in SecureTransport, while Qt 5 uses OpenSSL. However, the OpenSSL one is the same as Linux, so the same errors should appear on both. Is it the same OpenSSL 1.1 version? ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] macOS: troubles using my own CA
> On 12. Jul 2022, at 20:05, Thiago Macieira wrote: > > On Tuesday, 12 July 2022 01:21:07 PDT Alexander Dyagilev wrote: >> Again, if, after that, I build app using Qt 6.3.0 and launch it - this >> message never appears. >> >> So, this must be an issue with Qt 5.12. What I want to ask for: is there >> any known workaround to suppress this message under Qt 5.12.12? > > Qt 6.3 uses a completely different implementation of SSL on a Mac from 5.x. > It > uses the Apple API in SecureTransport, while Qt 5 uses OpenSSL. However, the > OpenSSL one is the same as Linux, so the same errors should appear on both. > > Is it the same OpenSSL 1.1 version? From what I know, SecureTransport is the default used on macOS since Qt 5.10.0 (running configure in 5.10.0 qtbase seems to confirm this). SecureTransport is deprecated by Apple, but the backend is still the default in 6.3. So unless Alexander explicitly enabled OpenSSL for one or the other, it wouldn’t expect big changes here. — Frank Gonçalves Osterfeld | frank.osterf...@kdab.com | Senior Software Engineer & Teamlead KDAB (Deutschland) GmbH, a KDAB Group Company Tel: +49-30-521325470 KDAB - The Qt, C++ and OpenGL Experts ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] macOS: troubles using my own CA
On Tuesday, 12 July 2022 01:21:07 PDT Alexander Dyagilev wrote: > Again, if, after that, I build app using Qt 6.3.0 and launch it - this > message never appears. > > So, this must be an issue with Qt 5.12. What I want to ask for: is there > any known workaround to suppress this message under Qt 5.12.12? Qt 6.3 uses a completely different implementation of SSL on a Mac from 5.x. It uses the Apple API in SecureTransport, while Qt 5 uses OpenSSL. However, the OpenSSL one is the same as Linux, so the same errors should appear on both. Is it the same OpenSSL 1.1 version? -- Thiago Macieira - thiago.macieira (AT) intel.com Cloud Software Architect - Intel DCAI Cloud Engineering ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
[Interest] macOS: troubles using my own CA
Hello, I'm on macOS Big Sur 11.5.1. First, I must say, that there are NO problems when I use Qt 6.3.0. But, I HAVE TO use Qt 5.12.12, so please if anyone know something that can help - please help :) I have my own server, written on Qt, on SSL sockets, with my own CA certificate. I install it using QSslConfiguration::setCaCertificates({myCaCert}). I don't use it widely, only for the socket which is to communicate with my server. All is working fine under Windows/Linux/Android. But, when it comes to macOS, I'm getting this socket error (when connecting to my server): "the root ca certificate is not trusted for this purpose". OK, I've made my own security check function as a workaround, which calls ignoreSslErrors(). And it started to work. BUT. My question is not about this. I've got a second problem after this: While I launch the same binary - all is OK. But if I modify it (so this would happen for our users after we update our app next time), I'm getting this strange message: Again, if, after that, I build app using Qt 6.3.0 and launch it - this message never appears. So, this must be an issue with Qt 5.12. What I want to ask for: is there any known workaround to suppress this message under Qt 5.12.12? ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest