SSL Certificate and Public Key Pinning
Unsolved
General and Desktop
-
Does QT support certificate pinning? I am not finding much when searching documentation and google.
To give more clarification: we are looking to do more to stop the MITM attacks. One way is to store a hash of the server's public key in the client when the client is built, so that when the client reaches out to the server for the first time for the server's public key, it can hash that key and compare it to its stored hash to ensure it's legitimate. And then do the compare for each request.
Thoughts? There a better way to achieve this result?
-
here is how i solved it:
connected to encrypted signal
QObject::connect(&mgr, SIGNAL(encrypted(QNetworkReply*)), this, SLOT(on_Encrypted(QNetworkReply*)));
then in the slot, check and verify if using pinning and check the hash
void on_Encrypted(QNetworkReply *reply){ if (useCertPinning) { QSslCertificate cert = reply->sslConfiguration().peerCertificate(); QString serverHash = QCryptographicHash::hash(cert.publicKey().toDer(),QCryptographicHash::Sha256).toBase64(); if (pinningHash.compare(serverHash) != 0) { qDebug()<< "Public Key Hashes don't match, abort"; reply->abort(); } } }