Changeset 9795 in ntrip


Ignore:
Timestamp:
Jul 22, 2022, 1:34:16 PM (4 weeks ago)
Author:
stuerze
Message:

consideration of client SSL certificates, if they are available

Location:
trunk/BNC/src
Files:
9 edited

Legend:

Unmodified
Added
Removed
  • trunk/BNC/src/bncmain.cpp

    r9783 r9795  
    9595      "\n"
    9696      "Network Panel keys:\n"
    97       "   proxyHost       {Proxy host, name or IP address [character string]}\n"
    98       "   proxyPort       {Proxy port [integer number]}\n"
    99       "   sslCaCertPath   {Full path to SSL certificates [character string]}\n"
    100       "   sslIgnoreErrors {Ignore SSL authorization errors [integer number: 0=no,2=yes]}\n"
     97      "   proxyHost         {Proxy host, name or IP address [character string]}\n"
     98      "   proxyPort         {Proxy port [integer number]}\n"
     99      "   sslCaCertPath     {Full path to SSL certificates [character string]}\n"
     100      "   sslClientCertPath {Full path to client SSL certificates [character string]}\n"     
     101      "   sslIgnoreErrors   {Ignore SSL authorization errors [integer number: 0=no,2=yes]}\n"
    101102      "\n"
    102103      "General Panel keys:\n"
  • trunk/BNC/src/bncnetqueryv2.cpp

    r9742 r9795  
    3636
    3737  bncSettings settings;
    38   _sslIgnoreErrors =
    39      (Qt::CheckState(settings.value("sslIgnoreErrors").toInt()) == Qt::Checked);
    40 
    41   if (_secure && !QSslSocket::supportsSsl()) {
    42     BNC_CORE->slotMessage("No SSL support, install OpenSSL run-time libraries", true);
    43     stop();
    44   }
     38  _sslIgnoreErrors = (Qt::CheckState(settings.value("sslIgnoreErrors").toInt()) == Qt::Checked);
     39
     40  if (_secure ) {
     41    if (!QSslSocket::supportsSsl()) {
     42      BNC_CORE->slotMessage("No SSL support, install OpenSSL run-time libraries", true);
     43      stop();
     44    }
     45    // Generate filenames to consider a potential client certificate
     46    _crtFileName = settings.value("sslClientCertPath").toString() + _url.host() + QString(".%1.crt").arg(_url.port());
     47    _keyFileName = settings.value("sslClientCertPath").toString() + _url.host() + QString(".%1.key").arg(_url.port());
     48  }
     49
     50
    4551}
    4652
     
    122128  if (_url.scheme().isEmpty()) {
    123129    if (_secure) {
     130      _url.setPort(443);
    124131      _url.setScheme("https");
    125132    }
     
    134141  // Network Request
    135142  // ---------------
     143  bncSslConfig sslConfig = BNC_SSL_CONFIG;
     144
     145  if (_secure) {
     146    QFile clientCrtFile(_crtFileName);
     147    QFile privateKeyFile(_keyFileName);
     148    if ( clientCrtFile.exists() && privateKeyFile.exists()) {
     149      // set local certificate if available
     150      clientCrtFile.open(QIODevice::ReadOnly);
     151      QSslCertificate clientCrt(&clientCrtFile);
     152      sslConfig.setLocalCertificate(clientCrt);
     153      // set private key if available
     154      privateKeyFile.open(QIODevice::ReadOnly);
     155      QSslKey privateKey(&privateKeyFile, QSsl::Rsa);
     156      sslConfig.setPrivateKey(privateKey);
     157    }
     158  }
     159
    136160  QNetworkRequest request;
    137   request.setSslConfiguration(BNC_SSL_CONFIG);
     161  request.setSslConfiguration(sslConfig);
    138162  request.setUrl(_url);
    139163  request.setRawHeader("Host"         , _url.host().toLatin1());
  • trunk/BNC/src/bncnetqueryv2.h

    r8252 r9795  
    77#include <QNetworkReply>
    88#include <QSslError>
     9#include <QSslKey>
    910
    1011#include "bncnetquery.h"
     
    3334  QNetworkAccessManager* _manager;
    3435  QNetworkReply*         _reply;
     36  QString                _crtFileName;
     37  QString                _keyFileName;
    3538  QEventLoop*            _eventLoop;
    3639  bool                   _firstData;
  • trunk/BNC/src/bncsettings.cpp

    r9760 r9795  
    7676    setValue_p("proxyPort",           "");
    7777    setValue_p("sslCaCertPath",       "");
     78    setValue_p("sslClientCertPath",   "");
    7879    setValue_p("sslIgnoreErrors",    "0");
    7980    // General
  • trunk/BNC/src/bncsslconfig.cpp

    r9756 r9795  
    3535////////////////////////////////////////////////////////////////////////////
    3636bncSslConfig::bncSslConfig() :
    37   QSslConfiguration(QSslConfiguration::defaultConfiguration())
    38 {
     37  QSslConfiguration(QSslConfiguration::defaultConfiguration()) {
    3938
    4039  bncSettings settings;
     
    4645  QList<QSslCertificate> caCerts = this->caCertificates();
    4746
    48   // Bug in Qt: the wildcard does not work here:
    49   // -------------------------------------------
    50   // caCerts += QSslCertificate::fromPath(dirName + QDir::separator() + "*crt",
    51   //                                      QSsl::Pem, QRegExp::Wildcard);
    5247  QDir dir(dirName);
    5348  QStringList nameFilters;
     
    6257
    6358  this->setCaCertificates(caCerts);
     59
     60
    6461}
    6562
  • trunk/BNC/src/bncwindow.cpp

    r9783 r9795  
    195195          this, SLOT(slotBncTextChanged()));
    196196
    197   _sslCaCertPathLineEdit   = new QLineEdit(settings.value("sslCaCertPath").toString());
    198   _sslIgnoreErrorsCheckBox = new QCheckBox();
     197  _sslCaCertPathLineEdit     = new QLineEdit(settings.value("sslCaCertPath").toString());
     198  _sslClientCertPathLineEdit = new QLineEdit(settings.value("sslClientCertPath").toString());
     199  _sslIgnoreErrorsCheckBox   = new QCheckBox();
    199200  _sslIgnoreErrorsCheckBox->setCheckState(Qt::CheckState(
    200201                                          settings.value("sslIgnoreErrors").toInt()));
     
    762763  pLayout->addWidget(_sslCaCertPathLineEdit,                                 3, 1, 1,10);
    763764  pLayout->addWidget(new QLabel("Default:  " + bncSslConfig::defaultPath()), 3,11, 1,20);
    764   pLayout->addWidget(new QLabel("Ignore SSL authorization errors"),          4, 0);
    765   pLayout->addWidget(_sslIgnoreErrorsCheckBox,                               4, 1, 1,10);
    766   pLayout->addWidget(new QLabel(""),                                         5, 1);
     765  pLayout->addWidget(new QLabel("Path to SSL client certificates"),          4, 0);
     766  pLayout->addWidget(_sslClientCertPathLineEdit,                             4, 1, 1,10);
     767  pLayout->addWidget(new QLabel("Ignore SSL authorization errors"),          5, 0);
     768  pLayout->addWidget(_sslIgnoreErrorsCheckBox,                               5, 1, 1,10);
     769  pLayout->addWidget(new QLabel(""),                                         6, 1);
    767770  pLayout->setRowStretch(6, 999);
    768771
     
    13701373  _proxyHostLineEdit->setWhatsThis(tr("<p>If you are running BNC within a protected Local Area Network (LAN), you may need to use a proxy server to access the Internet. Enter your proxy server IP and port number in case one is operated in front of BNC. If you do not know the IP and port of your proxy server, check the proxy server settings in your Internet browser or ask your network administrator. Without any entry, BNC will try to use the system proxies. </p><p>Note that IP streaming is sometimes not allowed in a LAN. In this case you need to ask your network administrator for an appropriate modification of the local security policy or for the installation of a TCP relay to the Ntrip Broadcasters. If this is not possible, you may need to run BNC outside your LAN on a network that has unobstructed connection to the Internet. <i>[key: proxyHost]</i></p>"));
    13711374  _proxyPortLineEdit->setWhatsThis(tr("<p>Enter your proxy server port number in case a proxy is operated in front of BNC. <i>[key: proxyPort]</i></p>"));
    1372   _sslCaCertPathLineEdit->setWhatsThis(tr("<p>Communication with an Ntrip Broadcaster over SSL requires the exchange of client and/or server certificates. Specify the path to a directory where you save certificates on your system. Don't try communication via SSL if you are not sure whether this is supported by the involved Ntrip Broadcaster.</p><p>Note that SSL communication is usually done over port 443. <i>[key: sslCaCertPath]</i></p>"));
     1375  _sslCaCertPathLineEdit->setWhatsThis(tr("<p>Communication with an Ntrip Broadcaster over SSL requires the exchange of server certificates. Specify the path to a directory where you save CA certificates on your system. </p><p>BNC creates from *.crt and *.pem files a CA certificate database, which is used by the socket during the handshake phase to validate the peer's certificate. </p><p>Don't try communication via SSL if you are not sure whether this is supported by the involved Ntrip Broadcaster.</p><p>Note that SSL communication is usually done over port 443. <i>[key: sslCaCertPath]</i></p>"));
     1376  _sslClientCertPathLineEdit->setWhatsThis(tr("<p>Two-sided communication with an Ntrip Broadcaster over SSL requires in addition the exchange of client certificates. Specify the full path to the client certificates on your system.</p><p></p><p>The file naming convention for client certificates in BNC is as follows: &lt;hostname&gt;.&lt;port&gt;.crt for the certificate and &lt;hostname&gt;.&lt;port&gt;.key for the private key, where &lt;hostname&gt; is without https://. </p><p> If available, the client or personal authentication certificate is presented to the peer during the SSL handshake process. Password protected key files are not supported. </p><p>Don't try communication via two sided SSL if you are not sure whether this is supported by the involved Ntrip Broadcaster. </p><p>Note that SSL communication is usually done over port 443. <i>[key: sslClientCertPath]</i></p>"));
    13731377  _sslIgnoreErrorsCheckBox->setWhatsThis(tr("<p>SSL communication may involve queries coming from the Ntrip Broadcaster. Tick 'Ignore SSL authorization errors' if you don't want to be bothered with this. <i>[key: sslIgnoreErrors]</i></p>"));
    13741378
     
    15931597  delete _proxyPortLineEdit;
    15941598  delete _sslCaCertPathLineEdit;
     1599  delete _sslClientCertPathLineEdit;
    15951600  delete _sslIgnoreErrorsCheckBox;
    15961601  delete _logFileLineEdit;
     
    17801785
    17811786  settings.setValue("sslCaCertPath",   _sslCaCertPathLineEdit->text());
     1787  settings.setValue("sslClientCertPath",   _sslClientCertPathLineEdit->text());
    17821788  settings.setValue("sslIgnoreErrors", _sslIgnoreErrorsCheckBox->checkState());
    17831789
     
    20552061  settings.setValue("proxyPort",   _proxyPortLineEdit->text());
    20562062  settings.setValue("sslCaCertPath",   _sslCaCertPathLineEdit->text());
    2057   settings.setValue("sslIgnoreErrors",  _sslIgnoreErrorsCheckBox->checkState());
     2063  settings.setValue("sslClientCertPath", _sslClientCertPathLineEdit->text());
     2064  settings.setValue("sslIgnoreErrors", _sslIgnoreErrorsCheckBox->checkState());
    20582065// General
    20592066  settings.setValue("logFile",     _logFileLineEdit->text());
  • trunk/BNC/src/bncwindow.h

    r9760 r9795  
    134134    QLineEdit* _proxyPortLineEdit;
    135135    QLineEdit* _sslCaCertPathLineEdit;
     136    QLineEdit* _sslClientCertPathLineEdit;
    136137    QCheckBox* _sslIgnoreErrorsCheckBox;
    137138    QLineEdit* _outFileLineEdit;
  • trunk/BNC/src/upload/bncuploadcaster.cpp

    r9757 r9795  
    7979      _secure = true;
    8080      _casterOutPort = 443;
     81      // Generate filenames to consider a potential client certificate and private key
     82      _crtFileName = settings.value("sslClientCertPath").toString() + _casterOutHost + QString(".%1.crt").arg(_casterOutPort);
     83      _keyFileName = settings.value("sslClientCertPath").toString() + _casterOutHost + QString(".%1.key").arg(_casterOutPort);
    8184    }
    8285  }
     
    215218    _outSocket->ignoreSslErrors();
    216219  } else {
    217     _outSocket->setSslConfiguration(BNC_SSL_CONFIG);
     220    bncSslConfig sslConfig = BNC_SSL_CONFIG;
     221    QFile clientCrtFile(_crtFileName);
     222    QFile privateKeyFile(_keyFileName);
     223    if ( clientCrtFile.exists() && privateKeyFile.exists()) {
     224      // set local certificate
     225      clientCrtFile.open(QIODevice::ReadOnly);
     226      QSslCertificate clientCrt(&clientCrtFile);
     227      sslConfig.setLocalCertificate(clientCrt);
     228      // set private key if available
     229      privateKeyFile.open(QIODevice::ReadOnly);
     230      QSslKey privateKey(&privateKeyFile, QSsl::Rsa);
     231      sslConfig.setPrivateKey(privateKey);
     232    }
     233    _outSocket->setSslConfiguration(sslConfig);
    218234    connect(_outSocket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(slotSslErrors(QList<QSslError>)));
    219235  }
  • trunk/BNC/src/upload/bncuploadcaster.h

    r9748 r9795  
    88#include <QThread>
    99#include <QSslError>
     10#include <QSslKey>
    1011#include <iostream>
    1112
     
    5051  QString     _proxyOutHost;
    5152  int         _proxyOutPort;
     53  QString     _crtFileName;
     54  QString     _keyFileName;
    5255  QString     _userName;
    5356  QString     _password;
Note: See TracChangeset for help on using the changeset viewer.