Results 1 to 4 of 4

Thread: SSL client security

  1. #1
    Join Date
    Sep 2008
    Posts
    13
    Thanks
    5
    Qt products
    Qt4
    Platforms
    Windows

    Default SSL client security

    Hi all, in my app I need to connect to a server (owned by my company) via SSL, I have set up the QSslSocket and everything works fine. The issue here is that the certificate of the server is self-signed, and it raises an error "The certificate is self-signed, and untrusted".

    I can ignore that error using ignoreSslErrors(), but I don't know if doing that could be a potential security problem, maybe this "man-in-the-middle" attack.

    I then thought about getting the public key from the server using mysocket->peerCertificate().publicKey() and keep it hard-coded in my code, so everytime it connects to the server I can compare this public key with the one the server returns. So my question is: could this help solve the security issue? Maybe the evil ones could get that public key from the server and use it in their own spoofed server to fool my program.

    Is there any method I can use to be sure that the server I'm connecting to is the real one?

    Any help will be much appreciated, thanks!

  2. #2
    Join Date
    Jan 2006
    Location
    Warsaw, Poland
    Posts
    33,364
    Thanks
    3
    Thanked 5,013 Times in 4,791 Posts
    Qt products
    Qt3 Qt4 Qt5 Qt/Embedded
    Platforms
    Unix/X11 Windows Android Maemo/MeeGo
    Wiki edits
    10

    Default Re: SSL client security

    You need to have the public key of the party who signed the server certificate and have it installed in your system as trusted. Only a private key from the trusted party can sign a certificate so if you trust this party haven't lost its private key, you will be fine.
    Your biological and technological distinctiveness will be added to our own. Resistance is futile.

    Please ask Qt related questions on the forum and not using private messages or visitor messages.


  3. The following user says thank you to wysota for this useful post:

    Koas (12th July 2010)

  4. #3
    Join Date
    Sep 2008
    Posts
    13
    Thanks
    5
    Qt products
    Qt4
    Platforms
    Windows

    Default Re: SSL client security

    Yes, the other party is a server owned also by my company, so I can trust it. Thanks!!

  5. #4
    Join Date
    Jan 2006
    Location
    Warsaw, Poland
    Posts
    33,364
    Thanks
    3
    Thanked 5,013 Times in 4,791 Posts
    Qt products
    Qt3 Qt4 Qt5 Qt/Embedded
    Platforms
    Unix/X11 Windows Android Maemo/MeeGo
    Wiki edits
    10

    Default Re: SSL client security

    The other party is the company, not a server. Don't mix the two.
    Your biological and technological distinctiveness will be added to our own. Resistance is futile.

    Please ask Qt related questions on the forum and not using private messages or visitor messages.


Similar Threads

  1. Get IP from client
    By ruben.rodrigues in forum Newbie
    Replies: 2
    Last Post: 28th June 2010, 15:07
  2. Norton Internet Security
    By GTBuilder in forum Installation and Deployment
    Replies: 2
    Last Post: 2nd June 2010, 19:33
  3. sqlite write security
    By lesat in forum Qt Programming
    Replies: 0
    Last Post: 28th April 2010, 06:05
  4. windows xp "local security settings"
    By mickey in forum General Discussion
    Replies: 1
    Last Post: 7th August 2008, 04:54
  5. OPC client with Qt
    By hafwil in forum Qt Programming
    Replies: 0
    Last Post: 18th May 2006, 19:28

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Digia, Qt and their respective logos are trademarks of Digia Plc in Finland and/or other countries worldwide.