[SailfishDevel] Ignoring auto signed SSL certificates

Tigre-Bleu devel at tigre-bleu.net
Sat Nov 9 18:43:37 UTC 2013 

If there is a cleaner way to prompt the user in the future, I will change the code but in the meantime it will do the job. 

Thanks, 

Antoine 

----- Mail original -----

De: "Jonni Rainisto" <jonni.rainisto at jolla.com> 
À: "Sailfish OS Developers" <devel at lists.sailfishos.org> 
Envoyé: Samedi 9 Novembre 2013 19:31:40 
Objet: Re: [SailfishDevel] Ignoring auto signed SSL certificates 

Hi, 

If you dont care about chain of trust in self signed ssl certs, you can just add following in your application. That way all ssl certs are always accepted. 



Add these includes to main.cpp 
#include <QSslConfiguration>
   #include <QSslSocket> 
Add these lines in beginning of your main() 

QSslConfiguration config = QSslConfiguration::defaultConfiguration();
   config.setPeerVerifyMode(QSslSocket::VerifyNone);
   QSslConfiguration::setDefaultConfiguration(config); 
re, Jonni 


From: devel-bounces at lists.sailfishos.org [devel-bounces at lists.sailfishos.org] on behalf of Tigre-Bleu [devel at tigre-bleu.net] 
Sent: Saturday, November 09, 2013 7:56 PM 
To: Sailfish OS Developers 
Subject: Re: [SailfishDevel] Ignoring auto signed SSL certificates 

Hi Gianni 

I agree that accepting the auto-signed certificate without prompt would be a potential security breach. 

However, I think there should be a dialog automatically opened by the OS asking the user what to do (or at least delegate the dialog implementation to the app itself). 

I am developping a sailfish app that is connected to an owncloud instance. Most of the time, the average geek (including me :) ) is using auto-signed ssl certificate. I don't want to force the user to use http where https could be used. 

I don't know C++ so I'm not really ready to play with QNetwork. Maybe I'll find something on the internet... 

Regards, 

Antoine 

-- 
Tigre-Bleu 
mail/jabber: antoine.vacher at tigre-bleu.net 

----- Mail original -----

De: "Gianni Vialetto" <gianni at rootcube.net> 
À: "Sailfish OS Developers" <devel at lists.sailfishos.org> 
Envoyé: Samedi 9 Novembre 2013 12:25:54 
Objet: Re: [SailfishDevel] Ignoring auto signed SSL certificates 

On Fri, Nov 8, 2013 at 7:26 PM, Tigre-Bleu < devel at tigre-bleu.net > wrote: 


Hello, 

The open() function of XMLHttpRequest seems to not work with auto signed ssl certificates. I have checked with valid certificates and there is no problem. 

Is this the expected behavior? If so how am I supposed to fetch some data from an auto signed https page using QML? 

Thanks, 

Antoine 




Hi Antoine, 

I cannot confirm it without diving into the implementation, but i believe the behavior of XHR you are seeing is reasonable from a security point of view - the alternative could be to prompt the user for confirmation. 
As an alternative you could construct the connection with QNetwork classes from the C++ side (the QSslConfiguration class should have a method to add a new CA to the list of those accepted). 

Regards, 
-- 
Gianni Vialetto 

_______________________________________________ 
SailfishOS.org Devel mailing list 


_______________________________________________ 
SailfishOS.org Devel mailing list 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.sailfishos.org/pipermail/devel/attachments/20131109/ce7cb5a6/attachment.html>

More information about the Devel mailing list