PDA

View Full Version : SSL client security



Koas
9th July 2010, 10:24
Hi all, in my app I need to connect to a server (owned by my company) via SSL, I have set up the QSslSocket and everything works fine. The issue here is that the certificate of the server is self-signed, and it raises an error "The certificate is self-signed, and untrusted".

I can ignore that error using ignoreSslErrors(), but I don't know if doing that could be a potential security problem, maybe this "man-in-the-middle" attack.

I then thought about getting the public key from the server using mysocket->peerCertificate().publicKey() and keep it hard-coded in my code, so everytime it connects to the server I can compare this public key with the one the server returns. So my question is: could this help solve the security issue? Maybe the evil ones could get that public key from the server and use it in their own spoofed server to fool my program.

Is there any method I can use to be sure that the server I'm connecting to is the real one?

Any help will be much appreciated, thanks!

wysota
9th July 2010, 12:20
You need to have the public key of the party who signed the server certificate and have it installed in your system as trusted. Only a private key from the trusted party can sign a certificate so if you trust this party haven't lost its private key, you will be fine.

Koas
12th July 2010, 11:59
Yes, the other party is a server owned also by my company, so I can trust it. Thanks!!

wysota
12th July 2010, 14:13
The other party is the company, not a server. Don't mix the two.