[SailfishDevel] Ignoring auto signed SSL certificates

Tigre-Bleu devel at tigre-bleu.net
Sat Nov 9 17:56:06 UTC 2013


Hi Gianni 

I agree that accepting the auto-signed certificate without prompt would be a potential security breach. 

However, I think there should be a dialog automatically opened by the OS asking the user what to do (or at least delegate the dialog implementation to the app itself). 

I am developping a sailfish app that is connected to an owncloud instance. Most of the time, the average geek (including me :) ) is using auto-signed ssl certificate. I don't want to force the user to use http where https could be used. 

I don't know C++ so I'm not really ready to play with QNetwork. Maybe I'll find something on the internet... 

Regards, 

Antoine 

-- 
Tigre-Bleu 
mail/jabber: antoine.vacher at tigre-bleu.net 

----- Mail original -----

De: "Gianni Vialetto" <gianni at rootcube.net> 
À: "Sailfish OS Developers" <devel at lists.sailfishos.org> 
Envoyé: Samedi 9 Novembre 2013 12:25:54 
Objet: Re: [SailfishDevel] Ignoring auto signed SSL certificates 

On Fri, Nov 8, 2013 at 7:26 PM, Tigre-Bleu < devel at tigre-bleu.net > wrote: 


Hello, 

The open() function of XMLHttpRequest seems to not work with auto signed ssl certificates. I have checked with valid certificates and there is no problem. 

Is this the expected behavior? If so how am I supposed to fetch some data from an auto signed https page using QML? 

Thanks, 

Antoine 




Hi Antoine, 

I cannot confirm it without diving into the implementation, but i believe the behavior of XHR you are seeing is reasonable from a security point of view - the alternative could be to prompt the user for confirmation. 
As an alternative you could construct the connection with QNetwork classes from the C++ side (the QSslConfiguration class should have a method to add a new CA to the list of those accepted). 

Regards, 
-- 
Gianni Vialetto 

_______________________________________________ 
SailfishOS.org Devel mailing list 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.sailfishos.org/pipermail/devel/attachments/20131109/11e96b51/attachment.html>


More information about the Devel mailing list