[Interest] Clarification on network security
Giuseppe D'Angelo
giuseppe.dangelo at kdab.com
Sun Jun 16 14:31:45 CEST 2019
On 16/06/2019 13:41, Konrad Rosenbaum wrote:
> Bob, you already have really good answers from Elvis and Thiago - please
> ignore this thread! In short: use QSslSocket/QSslServer, set the
> protocol version to 1.2 or newer, deliver the server cert (not key) with
> your client software, authentication depends on your use case. Ask
> specific non-Qt questions onhttps://security.stackexchange.com/ .
Some other advice:
* Ignore Roland's email;
* Network security isn't an after-thought, to bolt on somehow at the end
of the development. It has implications in your architecture and
processes (and ultimately code, to handle it properly).
* Network security on non-localhost connections is a mandatory feature
and not a "nice to have" (we're still in 2019). Qt makes it easy for
application developers via QSslSocket/QSslServer (for TCP), QDtls (for
UDP), QNetworkAccessManager (for HTTPS).
Depending on which side(s) you're developing, you need knowledge about
the challenges involved.
* For some of the Qt-specific insights Richard Moore's talk from QtDD :
> https://www.youtube.com/watch?v=btLCVoEuEr8&list=PLizsthdRd0YzYe5T3Txgg7TUGVi-ijq4d&index=43
(It's a bit old, but the main points are still valid. The most important
one being do not *ever* call ignoreSslErrors() unless you know what
you're doing)
* For the non-Qt specific insights, refer to online forums or a few good
books (which however go old very quickly and need to be complemented by
up-to-date information). I don't know about any single book around PKI
operations, though, which are probably one of the most critical parts
(rather than delving into OpenSSL programming, which Qt will hide from
you). Maybe a question for the forums.
HTH,
--
Giuseppe D'Angelo | giuseppe.dangelo at kdab.com | Senior Software Engineer
KDAB (France) S.A.S., a KDAB Group company
Tel. France +33 (0)4 90 84 08 53, http://www.kdab.com
KDAB - The Qt, C++ and OpenGL Experts
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4329 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20190616/3bd49051/attachment.bin>
More information about the Interest
mailing list