Im trying to get FTP-SSL to work with Qt 4.6.3. I've already compiled Qt with OpenSSL support. Are there any good resources about FTPS with Qt? It seems that QFtp does not provide SSL support. I really dont want to create my own FTPS implementation.
// edit:
I discovered QNetworkAccessManager (ty # frank) but I cant find any useful documentation or examples for SSL with it. Thats what I'm trying:
QUrl url = QUrl("ftp://localhost/filex.txt");
url.setUserName("root");
url.setPassword("root");
QNetworkRequest request(url);
QSslConfiguration SslConfiguration(QSslConfiguration::defaultConfiguration());
request.setSslConfiguration(SslConfiguration);
manager->get(request);
But FileZilla wont let me connect. The FZ console says:
(000035)21.12.2010 17:31:46 - (not logged in) (127.0.0.1)> USER root
(000035)21.12.2010 17:31:46 - (not logged in) (127.0.0.1)> 530 SSL required
FileZilla configuration:
FTP over SSL/TLS support enabled
Explicit FTP over TLS enabled
Plain unencrypted FTP disallowed
SSL forced for roots login
I would at least expect some sort of sslErrors signals since user/pw is fine and SSL fails, but I'm only getting authenticationRequired signals.
Thanks for your help!
Unfortunately there's no out of the box solution for FTPS in Qt.
QFtp implements many ftp commands
but does not support encryption.
QNetworkAccessManager supports only
basic ftp functions (file
download/upload) and does not support
encryption in case of ftp, either. It's
worth to mention it does support
encryption for HTTP, which is the
protocol it's mainly designed for.
QSslSocket implements SSL but no
specific protocol like FTP or HTTP
Taking above information into consideration an idea comes to mind to mix QFtp with QSslSocket to get encrypted FTP. The problem is QFtp class has no method which would allow to make QFtp use user supplied socket. By comparision QHttp has such a method - int QHttp::setSocket(QTcpSocket * socket)
Bottom line; according to Thiago Macieira (designer of QNetworkAccessManager) the way to go is to implement FTP protocol using QSslSocket.
Related
I am using Qt5 on Windows 7.
I currently have a server app that uses a QSslSocket to communicate with clients.
It works ok so far, but the customer wants me to use only TLS protocol, and make sure we never fall down to SSL protocol (which he considers to be not secure enough).
In my code there's absolutely nothing set explicitly, I only used the default(s) offered by the QSslSocket class.
I saw in Qt doc that by default QSslSocket uses TLSv1_0, yet I am not quite sure, because...
On the other hand, the Qt doc says, see QSsl::SecureProtocols: "The default option, using protocols known to be secure; currently behaves similar to TlsV1Ssl3 except denying SSLv3 connections that does not upgrade to TLS."
So, I am a little bit puzzled about this...
Finally, the question is: Would the default (what I have right now) of QSslSocket class guarantee that the connection is TLS encrypted? If not, what should I do in order to be sure the connection always uses TLS protocol?
I need to upload an image file on server using ssh2 protocol on port 22. SSH2 protocol with QNetworkAccessManger is not popular on Google either. Here is my code.
QUrl uploadUrl("ssh2://192.168.10.227/var/www/html/img/"+mImgFile);
uploadUrl.setUserName("xxxxxx");
uploadUrl.setPassword("xxxxxx");
uploadUrl.setPort(22);
qDebug() << uploadUrl.toString();
QNetworkRequest uploadReq(uploadUrl);
mReply = mNetworkManager->put(uploadReq, &file);
connect(mReply, SIGNAL(uploadProgress(qint64, qint64)), this, SLOT(uploadProgress(qint64, qint64)));
With URL-scheme as "ssh2" or "sftp" or "ssh2.sftp"; it outputs that Protocol is unknown. And the reason i used strange-looking "ssh2.sftp", is here(just a little php code to view).
I want to know whether ssh2 can be used with qnetworkaccessmanager at all? If yes, what is the correct URL-format to upload an image file?
There is no SSH support in Qt, for example see
Howto implement SFTP with Qt/QNetworkAccessManager (C++) and How to easily establish an SSH connection in Qt?
The list of supported URL schemes in QNetworkAccessManager can be obtained by QNetworkAccessManager::supportedSchemes() that is ("ftp", "file", "qrc", "http", "https", "data") in default Qt releases (https is supported only if external OpenSSL library is found, since it is also not supplied with Qt).
So, it is still needed to use external C library libssh2 to work with SSH2 protocol using native sockets.
I found here that there was some old Qt extension LibQxt with Qt SSH support. However, it is no longer maintained.
I need to implement an http server on a device that will be installed at a remote location and acessible through a cell modem. I am experience in embedded systems but I'm new to cell modems.
I was originally using this cell modem: http://www.janus-rc.com/HSPA910cf.html (based on a Telit HE910 module) for SMS alerts but now need to implement the http server functionailty.
I am not sure whether this cell modem supports the http server functionality and cannot seem to find much on the topic.
Would appreciate if anyone with experience in cell modems can shed some light on this.
The HE910 does not have any sort of built-in HTTP server, but you can still implement your own.
If you look at the documentation (Telit_HE910_UE910_AT_Commands_Reference_Guide_r5), you'll see that the HE910 has support for TCP, allowing you to use AT commands to make and receive socket connections.
It even appears (see Telit_Easy_Script_Python_2.7_r3) that the HE910 supports on-board Python with the socket module, so you should be able to implement a small HTTP server without even requiring a host to drive it.
I am using mochiweb for a server that may also get a TCP connction to which the client sends a simple string (without a newline, the string is not http). Mochiweb uses HTTP sockets and therefore fails to detect this (i dont even get http_error that i can easily get in mochiweb). How can I solve this? Ideally I wish to change mochiweb code to do setopt({packet, http_or_raw}) but this kind of thing does not exist. How would you recommend handling this? my current idea was to modify mochiweb and use erlang:decode_packet, is there a better approach?
EDIT:
More info.
Our server is a websocket service. We wish to allow
people without a ws supporting browser to use it so we use a
flash object to do websocket when the browser can't. The flash object needs to get a flash policy file. Flash
forces the file to be in one of two places:
- port 843 (flash hard coded)
- the port of the ws service
The flash protocol is NOT HTTP based.
Amazon ELB does not allow port forwarding for
most ports below 1024, so we
implemented the flash server in the same port via a patch to
mochiweb (https://github.com/nivertech/mochiweb/tree/ori_flash_170811).
Any advice?
mochiweb isn't designed to handle this use case, if it doesn't look
like HTTP then the connection is closed and it gets discarded. You
would have to go around mochiweb_http for this purpose. I'd suggest
using an alternate port, or making it look like HTTP.
If I really wanted to do what you say you want to do, I would copy
mochiweb_http.erl to some other name (e.g. sometimes_not_http.erl) and
make the appropriate changes to loop/2 and request/2… then instead of
adding mochiweb_http to your supervisor you'd add sometimes_not_http.
It is not necessary or recommended to make modifications to mochiweb
in-place.
I have a server program which listens on a particular port.
I have a requirement where client program that tries to connect to my server must be initiated by a root user.
How do I ensure this in the server program?
How do I ensure [anything about the
client program] in the server program?
You can't. If your security model requires the server to know whether client is root, you don't have security.
Let's consider one possibility: your network protocol includes a notification like this:
My-Uid-Is: 0
Your client, the perfectly secure version that you wrote, might implement this notification like this:
fprintf(socketFd, "My-Uid-Is: %d\n", getuid()); // send server my identity
But, my client, the one what I wrote without your knowledge or consent, will implement the notification like this:
fprintf(socketFd, "My-Uid-Is: 0\n"); // lie to server about my identity
Pop quiz: how can your server know whether it is talking to your truthful client, or my lying client? Answer: it can't. In fact, if you generalize this concept, you realize that the server can't rely upon the validity (whether that means the truthfulness, the format, the range-checking, etc.) of anything the client says.
In this specific case, using the clients source port number is as unreliable as any other choice. Yes, many operating systems require root privileges to bind to low-numbered source ports. But my PC might not be running your favorite operating system. I might be connecting from my own PC running my own OS which doesn't have that feature. Remember: you can't trust anything the client says.
There are techniques involving public-key encryption that can be used to guarantee that the program you are talking to has access to specific secrets. That, assuming that the secrets are adequately protected, can be used to guarantee that a specific person, computer, or account generated the request. I'll let someone else discuss PKI and how it might apply to your situation.
The client should bind to a port below 1024 before connecting. This port range is reserved for root.