[Interest] wss:// on localhost

Alexander Carôt alexander_carot at gmx.net
Tue Jul 21 19:32:13 CEST 2020 

Hej Thiago,
 
> Whether they work or not is irrelevant, since you shouldn't be shipping the 
> same certificate to all users. You'd have to make it extremely long-lived 
> (expiry 20 years from now). Generating a short-lived one (3 months) limits the 
> damage if it somehow gets misused.


just to avoid misunderstandings: The goal is not sending existing certificates as part of the application download but rather generate the certificte automatically upon launching the app ?


> There are lots of examples on the Internet on how to do this with the openssl 
> command. You'll have to find out how to do it with the API, if you don't want 
> to ship the command.


If my assumption above is right then any kind of automized process would be fine to me - e.g. running the openssl command as part of a script, which is executed before launching the application or probably generate the certificate within the app code which would be even more convenient.

Is this somehow the right track or am I completely mistaken ? Sorry again - completely new in the domain of security ;-)

Best

Alex








 
> 1) create a private/public key pair (usually RSA, but doesn't need to be). 
> Creating a private key usually involves random number, so please be sure that 
> OpenSSL's random generator is properly seeded, if it can't be guaranteed to 
> auto-seed. Qt's QRandomGenerator::system() is of cryptographic quality and 
> requires no seeding[*], so you can use it to generate random data to seed 
> OpenSSL if necessary. RSA key pairs are usually big these days (2048 to 4096 
> bits), so you may want to investigate an elliptic curve key instead, which 
> would reduce the computation time.
> 
> 2) create a certificate-signing request (CSR), which contains the certificate 
> header fields. Notably, it has the CN (Common Name) field, which identifies 
> which hostnames it applies for. You want "localhost"
> 
> 3) sign the CSR. You'll sign with the key used in #1, causing this to be self-
> signed. The result is the certificate.
> 
> There are lots of examples on the Internet on how to do this with the openssl 
> command. You'll have to find out how to do it with the API, if you don't want 
> to ship the command.
> 
> For anyone wondering about turning off the SSL error on self-signed 
> certificates: self-signing isn't inherently bad. The SSL error comes not 
> because the certificate is self-signed, but because it's not signed by any 
> certificate in the Certificate Authority list. The fact it's self-signed is 
> simply extra information, as it's the most common cause of an authority not 
> being found. But if you add the certificate itself to the CA list (in fact, 
> make it the only entry!), then it'll match to a CA and you get no SSL error.
> 
> [*] this is also why René is having problems with the RDRAND instruction in 
> the other thread.
> -- 
> Thiago Macieira - thiago.macieira (AT) intel.com
>   Software Architect - Intel DPG Cloud Engineering
> 
> 
> 
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
>

More information about the Interest mailing list