[SailfishDevel] Ignoring auto signed SSL certificates

Jonni Rainisto jonni.rainisto at jolla.com
Sat Nov 9 19:19:01 UTC 2013


If you want to prompt to user you can listen for sslErrors signal and prompt the user. That 3-liner is just way simpler solution.

http://qt-project.org/doc/qt-5.0/qtnetwork/qnetworkreply.html#sslErrors

re, Jonni
________________________________
From: devel-bounces at lists.sailfishos.org [devel-bounces at lists.sailfishos.org] on behalf of Tigre-Bleu [devel at tigre-bleu.net]
Sent: Saturday, November 09, 2013 8:43 PM
To: Sailfish OS Developers
Subject: Re: [SailfishDevel] Ignoring auto signed SSL certificates

If there is a cleaner way to prompt the user in the future, I will change the code but in the meantime it will do the job.

Thanks,

Antoine

________________________________
De: "Jonni Rainisto" <jonni.rainisto at jolla.com>
À: "Sailfish OS Developers" <devel at lists.sailfishos.org>
Envoyé: Samedi 9 Novembre 2013 19:31:40
Objet: Re: [SailfishDevel] Ignoring auto signed SSL certificates

Hi,

If you dont care about chain of trust in self signed ssl certs, you can just add following in your application. That way all ssl certs are always accepted.


Add these includes to main.cpp

   #include <QSslConfiguration>
   #include <QSslSocket>


Add these lines in beginning of your main()

   QSslConfiguration config = QSslConfiguration::defaultConfiguration();
   config.setPeerVerifyMode(QSslSocket::VerifyNone);
   QSslConfiguration::setDefaultConfiguration(config);


re, Jonni

________________________________
From: devel-bounces at lists.sailfishos.org [devel-bounces at lists.sailfishos.org] on behalf of Tigre-Bleu [devel at tigre-bleu.net]
Sent: Saturday, November 09, 2013 7:56 PM
To: Sailfish OS Developers
Subject: Re: [SailfishDevel] Ignoring auto signed SSL certificates

Hi Gianni

I agree that accepting the auto-signed certificate without prompt would be a potential security breach.

However, I think there should be a dialog automatically opened by the OS asking the user what to do (or at least delegate the dialog implementation to the app itself).

I am developping a sailfish app that is connected to an owncloud instance. Most of the time, the average geek (including me :) ) is using auto-signed ssl certificate. I don't want to force the  user to use http where https could be used.

I don't know C++ so I'm not really ready to play with QNetwork. Maybe I'll find something on the internet...

Regards,

Antoine

--
Tigre-Bleu
mail/jabber: antoine.vacher at tigre-bleu.net

________________________________
De: "Gianni Vialetto" <gianni at rootcube.net>
À: "Sailfish OS Developers" <devel at lists.sailfishos.org>
Envoyé: Samedi 9 Novembre 2013 12:25:54
Objet: Re: [SailfishDevel] Ignoring auto signed SSL certificates

On Fri, Nov 8, 2013 at 7:26 PM, Tigre-Bleu <devel at tigre-bleu.net<mailto:devel at tigre-bleu.net>>wrote:
Hello,

The open() function of XMLHttpRequest seems to not work with auto signed ssl certificates. I have checked with valid certificates and there is no problem.

Is this the expected behavior? If so how am I supposed to fetch some data from an auto signed https page using QML?

Thanks,

Antoine

Hi Antoine,

I cannot confirm it without diving into the implementation, but i believe the behavior of XHR you are seeing is reasonable from a security point of view - the alternative could be to prompt the user for confirmation.
As an alternative you could construct the connection with QNetwork classes from the C++ side (the QSslConfiguration class should have a method to add a new CA to the list of those accepted).

Regards,
--
Gianni Vialetto

_______________________________________________
SailfishOS.org Devel mailing list


_______________________________________________
SailfishOS.org Devel mailing list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.sailfishos.org/pipermail/devel/attachments/20131109/1cdb46be/attachment.html>


More information about the Devel mailing list