Koas
9th July 2010, 09:24
Hi all, in my app I need to connect to a server (owned by my company) via SSL, I have set up the QSslSocket and everything works fine. The issue here is that the certificate of the server is self-signed, and it raises an error "The certificate is self-signed, and untrusted".
I can ignore that error using ignoreSslErrors(), but I don't know if doing that could be a potential security problem, maybe this "man-in-the-middle" attack.
I then thought about getting the public key from the server using mysocket->peerCertificate().publicKey() and keep it hard-coded in my code, so everytime it connects to the server I can compare this public key with the one the server returns. So my question is: could this help solve the security issue? Maybe the evil ones could get that public key from the server and use it in their own spoofed server to fool my program.
Is there any method I can use to be sure that the server I'm connecting to is the real one?
Any help will be much appreciated, thanks!
I can ignore that error using ignoreSslErrors(), but I don't know if doing that could be a potential security problem, maybe this "man-in-the-middle" attack.
I then thought about getting the public key from the server using mysocket->peerCertificate().publicKey() and keep it hard-coded in my code, so everytime it connects to the server I can compare this public key with the one the server returns. So my question is: could this help solve the security issue? Maybe the evil ones could get that public key from the server and use it in their own spoofed server to fool my program.
Is there any method I can use to be sure that the server I'm connecting to is the real one?
Any help will be much appreciated, thanks!