[Qgis-developer] SSL connection does not update Cert Authorities. call for verification.
Luigi Pirelli
luipir at gmail.com
Mon Oct 10 01:29:23 PDT 2016
Hi
I filed the following issue: https://hub.qgis.org/issues/15687
Would be fine to have more confirmation on different Windows versions
or othere OSs.
thi sis the text of the issue:
***********************
I found a misalignement in SSL Root Certificate Authorities (CAs)
caching at least in WIN. This bug has been found developing a solution
to: https://hub.qgis.org/issues/15617
ABSTRACT
A brief description of the bug(?) and after a detailed step procedure
to reproduce it:
Any SO has a SSL conf has a list of CAs. These are used to setup the
ssl communication to verify if peer cert can be trusted or not. If the
system CAs list change this would affect the subsequent connection.
I found that if I remove or add a CA, next connections "remember" the
previous CA list for a while (some minutes).
to reproduce the error I tryied to connect to
https://qgis.boundlessgeo.com that is signed by:
"AddTrust CA External CA Root"
By default AddTrust is not present in Windows CAs. But.
- if it is present it can be removed using "certmgr.msc"
- if not present y can be automatically added by OS just browsing in a
windows keystore capable browser (no Firefox) tghe following
link:https://qgis.boundlessgeo.com/plugins/plugins.xml
The OS will check the URL CA and will check if it can be trusted, and
if so, it will be added in the keystore.
PREMISE:
To generate sslError I ued to connect to a erroneous OWS service, eg
WMS or WFS. The reason is to use only pure c++ code.
The steps to reproduce the errors are on WIN7 (but should be the same
on any win OS):
- remove AddTrust CA if present
- in QGIS trying to connect to
https://qgis.boundlessgeo.com/plugins/plugins.xml using wms service
(=> only c++ code)
- => sslError dialog will be opened. !!! ABort it and not push the
Ignore button !!!
- load https://qgis.boundlessgeo.com/plugins/plugins.xml in Explorer
and verify that "AddTrust" has been added in certmgr.msc
- executing the following python code in console
QgsAuthManager.instance().rebuildCaCertsCache()
QgsAuthManager.instance().rebuildCertTrustCache()
QgsAuthManager.instance().rebuildTrustedCaCertsCache()
QgsAuthManager.instance().rebuildIgnoredSslErrorCache()
You can verify that new CA is updated in qgis in
settings->options->authentication->Manage Certificates->Authorities
- tryed to reconnect to
https://qgis.boundlessgeo.com/plugins/plugins.xml using wms service
- !!!continuing!!! to have sslError dialog
- waiting a while (5'?) I'm able to receive a WMS error => no more sslError
The procedure to reproduce the bug can be also inverted:
- started qgis having the CA AddTrust installed (no sslerror)
- connect to wms service
https://qgis.boundlessgeo.com/plugins/plugins.xml => wms error but not
sslError dialog
- removed AddTrust
- executed the following python code in console
QgsAuthManager.instance().rebuildCaCertsCache()
QgsAuthManager.instance().rebuildCertTrustCache()
QgsAuthManager.instance().rebuildTrustedCaCertsCache()
QgsAuthManager.instance().rebuildIgnoredSslErrorCache()
You can verify that CA is removed in qgis in
settings->options->authentication->Manage Certificates->Authorities
- connect to WMS => still wms error but not sslError dialog
- after a while the sslError come back connecting to WMS service
Luigi Pirelli
**************************************************************************************************
* Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
* Mastering QGIS:
https://www.packtpub.com/application-development/mastering-qgis
**************************************************************************************************
More information about the Qgis-developer
mailing list