[Interest] Clarification on network security

Giuseppe D'Angelo giuseppe.dangelo at kdab.com
Sun Jun 16 14:31:45 CEST 2019

On 16/06/2019 13:41, Konrad Rosenbaum wrote:
> Bob, you already have really good answers from Elvis and Thiago - please
> ignore this thread! In short: use QSslSocket/QSslServer, set the
> protocol version to 1.2 or newer, deliver the server cert (not key) with
> your client software, authentication depends on your use case. Ask
> specific non-Qt questions onhttps://security.stackexchange.com/  .

Some other advice:

* Ignore Roland's email;

* Network security isn't an after-thought, to bolt on somehow at the end 
of the development. It has implications in your architecture and 
processes (and ultimately code, to handle it properly).

* Network security on non-localhost connections is a mandatory feature 
and not a "nice to have" (we're still in 2019). Qt makes it easy for 
application developers via QSslSocket/QSslServer (for TCP), QDtls (for 
UDP), QNetworkAccessManager (for HTTPS).

Depending on which side(s) you're developing, you need knowledge about 
the challenges involved.

* For some of the Qt-specific insights Richard Moore's talk from QtDD :

> https://www.youtube.com/watch?v=btLCVoEuEr8&list=PLizsthdRd0YzYe5T3Txgg7TUGVi-ijq4d&index=43

(It's a bit old, but the main points are still valid. The most important 
one being do not *ever* call ignoreSslErrors() unless you know what 
you're doing)

* For the non-Qt specific insights, refer to online forums or a few good 
books (which however go old very quickly and need to be complemented by 
up-to-date information). I don't know about any single book around PKI 
operations, though, which are probably one of the most critical parts 
(rather than delving into OpenSSL programming, which Qt will hide from 
you). Maybe a question for the forums.

Giuseppe D'Angelo | giuseppe.dangelo at kdab.com | Senior Software Engineer
KDAB (France) S.A.S., a KDAB Group company
Tel. France +33 (0)4 90 84 08 53, http://www.kdab.com
KDAB - The Qt, C++ and OpenGL Experts

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4329 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20190616/3bd49051/attachment.bin>

More information about the Interest mailing list