[Qgis-developer] SSL error on QGIS startup

Larry Shaffer larrys at dakotacarto.com
Sat Oct 3 10:47:46 PDT 2015 

Hi,

On Fri, Oct 2, 2015 at 12:07 AM, Andreas Neumann <a.neumann at carto.net>
wrote:

> Hi,
>
> Since the integration of the new authentication system from Larry I am now
> getting an SSL error on Startup. See
> http://www.carto.net/neumann/temp/qgis_startup_ssl_error.png
>
> I have no idea what it means and what I can do in order to get rid of this
> error message.
>

This is not related to the new authentication system, though I thought that
was the case for a while and spent a bunch of effort trying to fix it. See
issue http://hub.qgis.org/issues/13471 for a script showing it is an issue
with some certificate chain validations and Qt4.

I think the issue started when QgsNetworkAccessManager was added for proxy
support to the Welcome page. Before that the Welcome page's access manager
did not have its sslErrors() signal connected to the QGIS app SSL error
dialog slot. (On Mac, the page didn't even load until the manager was
added.) There were a couple of days it was connected, then the new auth
system was merged and the dialog significantly changed, i.e. it looked like
the auth system merge caused the issue.

In the future, there are workarounds for the https://*google.com cert chain
in network access:

* Save an SSL configuration with 'Do not verify peer certs' set for 'Peer
validation' section (works on all platforms)
* Copy API script to source tree or remote server where calling page resides
* Use http:// instead of https:// to access the Google API script, though
this not a good approach security-wise

Untested whether this is possibly fixed with Qt5.

Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota


> Does it mean that the connection to https://www.google.com/jsapi is not
> secure? Is QGIS now contacting a Google server at each startup?
>
> Thank you for any hint about this error message.
>
> Andreas
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20151003/b90e04ab/attachment.html>

More information about the Qgis-developer mailing list