Bug report #13471
SSL error(s) on What's New web page load
| Status: | Closed | ||
|---|---|---|---|
| Priority: | High | ||
| Assignee: |  Larry Shaffer | ||
| Category: | Authentication system | ||
| Affected QGIS version: | master | Regression?: | No |
| Operating System: | Easy fix?: | No | |
| Pull Request or Patch supplied: | No | Resolution: | |
| Crashes QGIS or corrupts data: | No | Copied to github as #: | 21518 |
Description
For some reason, the Qt application trusted Certificate Authorities are not being loaded into the QgsWebPage upon requests, resulting in:
https://www.google.com/jsapi Unable To Get Local Issuer Certificate... Certificate Untrusted...
Started happening after the proxy support, i.e. using QgsNetworkAccessManager, was added to the new welcome page.
Setting the SSL cert exception is a workaround, but should not be needed. It appears that no trusted Certificate Authorities are being added to the QgsWebView requests. This is very odd, especially because if you inspect the certificate chain and trusted certs from within the SSL error dialog everything is there. I even tried adding the specific cert authorities to QGIS's new cert manager, with no luck.
Next I tried commenting out the QNetworkRequest hack in QgsNetworkAccessManager for HTTPS requests, but that had no effect either.
It seems that the QWebPage requests are maybe in a different thread and the SSL errors, as handled by the QgisApp, are just a response to a signal, but not being honored in the calling thread. Still it doesn't explain why the CAs are not being passed to the QgsWebView to begin with.
cert-authority-test.py 
(1.04 KB)
Associated revisions
History
#1 Updated by Anonymous about 9 years ago
- Status changed from Open to Closed
Fixed in changeset 95c377a607757b4cc9d03a6e399b5516d0b44dcd.
#2
Updated by Larry Shaffer about 9 years ago
- File cert-authority-test.py added
While the web page exhibiting the issue has been removed from master, the issue still stands: https://www.google.com/jsapi does not have its certificate chain validated properly.
Initially, I thought it was related to the new authentication system (and spent a bunch of effort trying to find how it affected SSL cert chain validation), but it is not related to the new auth system at all. I wrote a small PyQt4 script (attached cert-authority-test.py) to test both QNetworkAccessManager and QWebPage outside of QGIS's custom implementation of both.
Try:
- Running the script shows a valid HTTPS result for the 'https://qgis.org/version.txt' URL.
- Comment out the
url = 'https://qgis.org/version.txt'line and rerun script. Results in SSL errors for 'https://www.google.com/jsapi'.
You can play around with the script a bit:
- Uncomment
wv.page().setNetworkAccessManager(nam)line to test setting an outside manager. Same result as internal manager: SSL errors for 'https://www.google.com/jsapi'. - Comment out all lines that start with 'wv' and uncomment the
nam.sslErrors ...block. Shows same result if callingget()onQNetworkAccessManager: SSL errors for 'https://www.google.com/jsapi'.
Essentially, Qt4 certificate chain validation has an issue with this particular chain. I tried doing all the chain validation through QCA and ended up with the same errors. If I were to guess, both Qt4 and QCA have issues validating an SSL cert chain which contains a cert with an Elliptic Curve Public Key which https://www.google.com uses.
Could be that Qt5 has this issue fixed (untested).
#3
Updated by Matthias Kuhn about 9 years ago
No error for me on Fedora / QGIS 2.10.1 libs.
I also did not get this error on app startup with current master. Basically SSL certificate verification seems to work perfectly fine.
Adding url = 'https://tv.eurosport.com/' shows an SSL error, I used this to check that checks are actually performed.
Qt version: 4.8.6