[Qt-interest] RSA in QT

Konrad Rosenbaum konrad at silmor.de
Sun Feb 1 11:04:13 CET 2009 

Hi,

On Friday 30 January 2009, Serge wrote:
> > HTTPS is a very good idea. Here is a plan for you:
> >
> > 1) store the public key of the server in a ressource
>
> I purchased certificate for server for one year at godaddy.com.
> Next year i will need to renew it. May be it will be the other
> certificate. If i will store public key in resource of program, program
> will stop working if certificate changes.

For this protocol itself a self-signed certificate would have sufficed. But 
thank you for supporting the CA industry in these troubled times.

> > 2) before establishing the connection purge the CA list of Qt and put
> > your servers public key in as the only CA key - this will make sure
> > that it is impossible to communicate with any other server (unless you
> > call ignoreSslErrors - don't call it!)
>
> How to do it using QT in code?
> I found only 2 examples, working with SSL: network/http,
> securesocketclient. They are not changing CA list of QT, as i understand.

Please read the documentation. Please.

> > 3) generate another SSL-certificate and put it completely (including
> > private and public key) into the ressources
>
> Can i generate myself free self-signed certificate for it, without
> purchasing it?

Yes. Read the documentation of OpenSSL. 

This is what I do every year for my Apaches:
openssl req -new -x509 -nodes -out cert.pem \
  -keyout key.pem -days $DAYS -set_serial $SERIALNUMBER

> > 4) use the second SSL-cert as client certificate
>
> How to do it in code?
> network/http, securesocketclient do not demonstrate it.
>
> In http example QHttp::ConnectionModeHttps is just passed to QHttp
> object. No additional processing for SSL.

Just from looking at the docu: try setSocket with a prepared QSslSocket.

> > 5) on the server side check the client certificate and refuse
> > communication if the wrong or no client certificate is used
>
> How in PHP script read info about client certificate, used for https
> connection?

Read the documentation.

Seriously: get some help from a security expert. If this feature is critical 
to your company it should be worth paying a few thousand 
Euros/Dollars/Whatevers to someone who can get it right. If this is just a 
toy project of yours, it should be worth waiting a year while you read up 
on all the important literature in the field - I already gave you a good 
starting point (Schneier).



	Konrad

-- 
Note: I'm changing my PGP/GPG key soon! New KeyID: 723A6200
Fingerprint: B37C FA75 8C4C 6537 7954  CBC0 CB15 C991 723A 6200
Keyserver: wwwkeys.eu.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.qt-project.org/pipermail/qt-interest-old/attachments/20090201/4b55a79c/attachment.bin

More information about the Qt-interest-old mailing list