[Qgis-developer] QGIS Server - SSL handshake failed for cascading WMS

Larry Shaffer larrys at dakotacarto.com
Fri Jan 27 12:49:59 PST 2017


Hi Andreas,

On Fri, Jan 27, 2017 at 8:48 AM, Neumann, Andreas <a.neumann at carto.net>
wrote:

> Some more information on my server:
>
> Linux CentOS7
>
> qt 4.8.5
>
> The server only allows tls connections, no SSLv2/3 or such vulnerable
> stuff. Perhaps qt is too old to properly support tls ciphers?
>
> Can I add an SSL "do not check exception" for specific connections of QGIS
> server?
>
> If yes - how would I configure that for QGIS server?
>
> Qt 4.8 can definitely use TLS, and can be configured (in a SSL Server
configuration) to connect to the WMS endpoint how you feel is appropriate,
including ignoring specific SSL errors. This assumes you are cascading by
configuring a QGIS project with a WMS layer and then, in turn, serving
again via WMS through QGIS Server. If so, you should be able to use the
authentication system to solve the connection issues. However, you will
need to have the authentication database available to QGIS Server as well,
via env variable, because the SSL Server configurations are stored in it.

Recently (last week), I noticed a possible bug in the auth system whereby
the SSL endpoint connected to will throw an SSL error when the endpoint has
intermediate certificates that are not stored in QGIS's Authorities tab.
Usually, validation would not check for trust of intermediates, only
whether a given cert in the chain is valid for the particular use and the
eventual trustworthiness of its root Certificate Authority. Essentially,
any intermediates need to be trusted as roots CAs until this is fixed.

In this case, for a workaround, you will need to either add the
intermediate certificates to OpenSSL's referenced trusted roots
file/directory, or add them to your Authorities tab in QGIS (which adds
them to the authentication database as trusted, by default) then ensure the
auth database can be used by QGIS Server for the project.

I would need to know more about your particular SSL setup to give any
further suggestions here. Unfortunately, "SSL handshake failed" is a too
vague, and I am only guessing at the problem above.

Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota


> Thanks for any hints,
>
> Andreas
>
> On 2017-01-27 16:31, Neumann, Andreas wrote:
>
> Hi,
>
> I want to use a cascading WMS in QGIS server. I know it is not ideal,
> perfomance wise, but it would be only for printing.
>
> Problem is that the WMS uses https and QGIS server can't connect. The QGIS
> server log shows a connect error:
>
> Download of capabilities failed: SSL handshake failed
>
> curl or wget on the same server works fine with the same ssl connection.
>
> Anyone knows how I can overcome this SSL handshake issue? Do I need to set
> up a separate certificat chain for QGIS server? I hope not ...
>
> Thanks for any hints,
>
> Andreas
>
>
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
>
>
>
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20170127/dc559e4d/attachment.html>


More information about the Qgis-developer mailing list