On 06/05/2014 08:11, Jeremy Lainé wrote: > Thanks Richard for taking the time to write up your summary, as the subject > is pretty vast. > > On 05/03/2014 11:23 PM, Richard Moore wrote: >> Support for QNAM >> ================ >> >> It's obvious that to be useful, a backend must allow QNAM to make SSL >> requests. It need not support the more advanced features such as >> client certs, custom CAs, custom cipher suites etc. >> >> In order to handle user exceptions, we need a way to signal the >> errors. This means that QSslError would be required. Another option >> might be to offer some pre-built UI component for this, but that has >> the issue that a single component would probably not be a good fit to >> many UIs. > Who is looking into WinRT, as I'd be interested in hearing what the WinRT API > offers in > terms of error reporting? As covered in in [1] there should be at least enough error reporting to implement a minimal SSL subset for WinRT.
> > On the iOS / Secure Transport front, QSslError support is not going to be as > detailed as > the OpenSSL backend as the API offers very little detail about "what went > wrong" > establishing a secure connection. > > >> Another issue is displaying the certificate to the user. The >> QSslCertificate API is large, and whilst I think most backends would >> be able to provide most (if not all) of the facilities this is still a >> significant barrier. Instead, how about we allow QSslCertificate to be >> used as an opaque type for most apps? This could be done by providing >> access to the platform native (or a Qt provided) certificate >> dialog. This would reduce the requirements for the backend >> substantially. > Can you explain your thinking in more detail on this point? For iOS / Secure > Transport > there is a clean separation between the SSL code and anything GUI related - > to my > knowledge there is no "native dialog" to handle accepting certificates. I don't think that there is that kind of dialog for WinRT either or at least I haven't seen anything like that. So to have all that cross platform and not have to implement it again and again we should probably offer a Qt dialog which has the most important certificate properties inside? > > On the other hand: > > - you can get access to the raw DER data for the certificate > (SecSecurityGetData [1]) > > - you can create a certificate instance from the raw DER data > (SecCertificateCreateWithData [2]) > > I have therefore written some code to parse just enough ASN.1 to extract the > certificate > details: > > https://qt.gitorious.org/qt/sharkys-qtbase/source/ec189e6994b331e0e6662440a4a6fba3366277ec:src/network/ssl/qsslcertificate_ios.cpp > > Does WinRT provide access to the DER data? Yes see [2] > >> Simplifying the Cipher API >> ========================== >> >> Currently, the QSslCipher API is pretty large. It's not simply the >> code in the QSslCipher class itself, but also all the stuff in the >> QSslConfiguration that defines the preferences. Instead, we could >> offer a simplified API that all backends must offer. So, for example >> we could have something as simple as High, Medium and Low! After all, >> most people (including developers) don't know the trade-offs of the >> different cipher suites anyway. We could also have a flag for perfect >> forward secrecy since that is independent of the strength. It would >> also be possible to have a setting like FIPS for people who care about >> that. > I haven't looked into what iOS offers here yet. > > Cheers, > Jeremy > > [1] > https://developer.apple.com/library/ios/documentation/Security/Reference/certifkeytrustservices/Reference/reference.html#//apple_ref/c/func/SecCertificateCopyData > > [2] > https://developer.apple.com/library/ios/documentation/Security/Reference/certifkeytrustservices/Reference/reference.html#//apple_ref/c/func/SecCertificateCreateWithData > > _______________________________________________ > Development mailing list > Development@qt-project.org > http://lists.qt-project.org/mailman/listinfo/development Cheers, Olli [1] https://bugreports.qt-project.org/browse/QTBUG-37497 [2] http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.certificate.getcertificateblob.aspx _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development