|
|
Thiago Macieira wrote:
> Stephen Collyer wrote:
>> What is involved in implementing my own SSL-error verification ?
>> Presumably I would have to replace the entire functionality of
>> startServerEncryption() ?
>
> Use ignoreSslErrors() and then compare the certificate that you received
> from the client with what you expect.
OK. But to make any decision on the validity of the certificate,
I have to do a reverse lookup on the peer address at some point.
It seems to me that I may just as well do that in incomingConnection(),
then set the QSslSocket peer name from the results, call
startServerEncryption() and then let the Qt logic proceed as usual.
>> BTW, what is the rationale for not setting peerName() in servers ?
>> It seems that it is required for proper support of client certificates.
>
> Because you're accepting the connection from the remote. In most cases, a
> client's IP address cannot be determined beforehand.
I don't understand this. By the time incomingConnection() runs we
certainly have an IP address in peerAddress() - we don't have
the peer name though, which is the problem.
> In general, when a server requests clients to present certificates, they
> will try and validate the certificate against a precise certificate
> authority: yours. This way, you can be sure that the client is who is
> he's supposed to be.
Right. But I don't follow what you're trying to tell me here.
This is handled once we have set the appropriate CA cert with
QSslSocket::addCaCertificates(), no ?
--
Regards
Steve Collyer
Netspinner Ltd
--
To unsubscribe - send a mail to qt-interest-request@xxxxxxxxxxxxx with
"unsubscribe" in the subject or the body.
List archive and information: http://lists.trolltech.com/qt-interest/
|
|