[SailfishDevel] [Not TLS] How to use self-signed certificates transparently in a https POST/GET request with a QT Quick application?

Thu Aug 20 13:34:36 UTC 2015

Hi Juice,

As far as I understand, you have a control to install HTTPS certificates 
on the server where the requests are sent?

In this case, you have two options:

   1. Install a trusted SSL certificate on your server.

   2. Generate your own self-signed certificate and mark it as trusted 
in your application.

For 1. you can get a free(!) domain validated certificate from StartSSL. 
It is trusted by most (if not all) modern browsers.

For 2. you need to export your self-signed certificate from the server 
(without the private key), ship it together wit your application and do 
the following on the application startup:

   QFile f;
   f.setFileName("<path-to-your>/certificate.pem");
   f.open(QFile::ReadOnly);

   QSslCertificate cert(f.readAll());
   f.close();

   sslConfiguration = QSslConfiguration::defaultConfiguration();
   QList<QSslCertificate> cacerts = sslConfiguration.caCertificates();
   cacerts.append(cert);
   sslConfiguration.setCaCertificates(cacerts);
   QSslConfiguration::setDefaultConfiguration(sslConfiguration);

Even 2. will be much safer than just ignoring all SSL errors.

On 18/08/15 07:05, juice wrote:
> Thank you Jonni, Thomas & Graham for prompt and insightful answers.
>
> I think I need to explain a bit more about my planned application, to
> show what the security model is and why I would like to accept https
> connection without checking for certificate validity.
>
> I am writing a dog-tracing utility, which periodically queries a server
> for whereabouts of the dog, receives geolocation coordinates and plots
> the location to a map on the Jolla phone.
>
> The dog wears a GPS collar that sends location updates to my server
> which actually maintains a detailed trace but in this case we are only
> interested of the last known position of the dog.
>
> Reason why I want to use https on the transport layer instead of http
> is because I do not like to advertise location data worldwide, it is
> private and my own location can be determined from the location of my
> dog and hence my mushroom hoarding places on the woods be compromised
> to other people. (remember, people have been killed in Italy for example
> trying to protect their favourite picking spots....)
>
> So, the protocol is simple, the application sends query like;
> GET https://toosa.swagman.org/wheres_my_dog/loc?password=ToPsEcReT
> The response is xml/json/whatever, last known coordinates.
>
> Of course the same can be applied to people trackiing, when I am on a
> bicycle trip, and my GPS tracking is active, my wife can get me by;
> GET https://toosa.swagman.org/wheres_juice_now/loc?password=ToPsEcReT
>
> In this case it is also self-evident why I want the location data to
> remain confidental. As the transport channel is secured, neither my
> password nor the reply coordinates are exposed to outside parties.
>
> Now, as this application is pretty much something I am just writing for
> my own use I like to keep it pretty simple and avoid fancy certificate
> accept/store/maintain schemes.
>
> I doubt anyone else really needs this application so it need not be
> overtly complicated.
>
> I mean, how many users there are who have a Jolla and like to track
> their dog by GPS collar? Not more than a handful I'd guess. :)
>
> Of course if it was very simple to add certificate lifecycle maintanance
> to the application then I could do that for completeness sake.

-- 
With best regards,
Oleksii Serdiuk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4740 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.sailfishos.org/pipermail/devel/attachments/20150820/fbee0e30/attachment.bin>