|
|
Stephen Collyer wrote:
>> Because you're accepting the connection from the remote. In most
>> cases, a client's IP address cannot be determined beforehand.
>
>I don't understand this. By the time incomingConnection() runs we
>certainly have an IP address in peerAddress() - we don't have
>the peer name though, which is the problem.
What I meant is that it can come from anywhere on the Internet. Think of
clients connecting via their ADSLs. You can't guarantee that there will
be a reverse resolution of the IP. That's why servers don't check the
clients' IP addresses, but instead that the certificate was properly
signed.
Unless you have a very, very specific setup in which you mandate that the
client is connecting from a particular IP range.
>> In general, when a server requests clients to present certificates,
>> they will try and validate the certificate against a precise
>> certificate authority: yours. This way, you can be sure that the
>> client is who is he's supposed to be.
>
>Right. But I don't follow what you're trying to tell me here.
>This is handled once we have set the appropriate CA cert with
>QSslSocket::addCaCertificates(), no ?
That's correct. If none of the CA certificates listed has signed the
client certificate that was presented, QSslSocket will raise another
error. Hence why you should be careful with ignoreSslErrors() and you
should verify what QSslSocket concluded.
--
Thiago José Macieira - thiago.macieira AT trolltech.com
Trolltech, a Nokia Company
Sandakerveien 116, NO-0402 Oslo, Norway
|
|