June 24th 2014, SSL Security
← June 23th 2014 SSL Transmission Acknowledgement | ● | June 25th 2014 QTcpSockets QThreads and the Event Loop in Qt →
After the Heartbleed OpenSSL security hole, I was wondering if my client/server application was affected. When building Qt from source, Qt’s network module is linked against the installed OpenSSL system library. All versions of OpenSSL from 1.0.1 through 1.0.1f are affected. Versions 1.0.0 and older are not affected, same for versions 1.0.1g and later. So let’s see which version we have:
> openssl version OpenSSL 0.9.7l 28 Sep 2006
Not affected, but pretty old though!
Another note on security: Since we are currently only testing, the self-signed certificate and private key can be made public. But for a system that encrypts safely, a public key allows for easy attacking. If we were running a real server we would have to keep the private key at a safe place. And of course we would have to get a certificate from a CA, so that a client can verify the authenticity of the peer. If we do not, we could be sending our personal data to a man in the middle.
← June 23th 2014 SSL Transmission Acknowledgement | ● | June 25th 2014 QTcpSockets QThreads and the Event Loop in Qt →