Hi Juice,As far as I understand, you have a control to install HTTPS certificates on the server where the requests are sent?
In this case, you have two options: 1. Install a trusted SSL certificate on your server.2. Generate your own self-signed certificate and mark it as trusted in your application.
For 1. you can get a free(!) domain validated certificate from StartSSL. It is trusted by most (if not all) modern browsers.
For 2. you need to export your self-signed certificate from the server (without the private key), ship it together wit your application and do the following on the application startup:
QFile f;
f.setFileName("<path-to-your>/certificate.pem");
f.open(QFile::ReadOnly);
QSslCertificate cert(f.readAll());
f.close();
sslConfiguration = QSslConfiguration::defaultConfiguration();
QList<QSslCertificate> cacerts = sslConfiguration.caCertificates();
cacerts.append(cert);
sslConfiguration.setCaCertificates(cacerts);
QSslConfiguration::setDefaultConfiguration(sslConfiguration);
Even 2. will be much safer than just ignoring all SSL errors.
On 18/08/15 07:05, juice wrote:
Thank you Jonni, Thomas & Graham for prompt and insightful answers. I think I need to explain a bit more about my planned application, to show what the security model is and why I would like to accept https connection without checking for certificate validity. I am writing a dog-tracing utility, which periodically queries a server for whereabouts of the dog, receives geolocation coordinates and plots the location to a map on the Jolla phone. The dog wears a GPS collar that sends location updates to my server which actually maintains a detailed trace but in this case we are only interested of the last known position of the dog. Reason why I want to use https on the transport layer instead of http is because I do not like to advertise location data worldwide, it is private and my own location can be determined from the location of my dog and hence my mushroom hoarding places on the woods be compromised to other people. (remember, people have been killed in Italy for example trying to protect their favourite picking spots....) So, the protocol is simple, the application sends query like; GET https://toosa.swagman.org/wheres_my_dog/loc?password=ToPsEcReT The response is xml/json/whatever, last known coordinates. Of course the same can be applied to people trackiing, when I am on a bicycle trip, and my GPS tracking is active, my wife can get me by; GET https://toosa.swagman.org/wheres_juice_now/loc?password=ToPsEcReT In this case it is also self-evident why I want the location data to remain confidental. As the transport channel is secured, neither my password nor the reply coordinates are exposed to outside parties. Now, as this application is pretty much something I am just writing for my own use I like to keep it pretty simple and avoid fancy certificate accept/store/maintain schemes. I doubt anyone else really needs this application so it need not be overtly complicated. I mean, how many users there are who have a Jolla and like to track their dog by GPS collar? Not more than a handful I'd guess. :) Of course if it was very simple to add certificate lifecycle maintanance to the application then I could do that for completeness sake.
-- With best regards, Oleksii Serdiuk
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ SailfishOS.org Devel mailing list To unsubscribe, please send a mail to devel-unsubscr...@lists.sailfishos.org
