[Qgis-developer] QGIS Server - SSL handshake failed for cascading WMS

Neumann, Andreas a.neumann at carto.net
Tue Jan 31 07:16:22 PST 2017 

Hi Larry, 

Thank you for your reply! 

It is actually a chain with an intermediate CA. So maybe I just hit the
issue you also discovered? 

It is about this URL/certificate: https://services.geo.zg.ch/ 

Root CA: SwissSign Silver G2 Root CA
Intermediate CA: Swiss Sign Silver CA 2014 - G22
SSL Certificate: services.geo.zg.ch 

So I will try do have a look at the workaround or fall back to http only
- because I can control both servers. 

Thanks, 

Andreas 

On 2017-01-27 21:49, Larry Shaffer wrote:

> Hi Andreas, 
> 
> On Fri, Jan 27, 2017 at 8:48 AM, Neumann, Andreas <a.neumann at carto.net> wrote:
> 
>> Some more information on my server: 
>> 
>> Linux CentOS7 
>> 
>> qt 4.8.5 
>> 
>> The server only allows tls connections, no SSLv2/3 or such vulnerable stuff. Perhaps qt is too old to properly support tls ciphers? 
>> 
>> Can I add an SSL "do not check exception" for specific connections of QGIS server? 
>> 
>> If yes - how would I configure that for QGIS server?
> 
> Qt 4.8 can definitely use TLS, and can be configured (in a SSL Server configuration) to connect to the WMS endpoint how you feel is appropriate, including ignoring specific SSL errors. This assumes you are cascading by configuring a QGIS project with a WMS layer and then, in turn, serving again via WMS through QGIS Server. If so, you should be able to use the authentication system to solve the connection issues. However, you will need to have the authentication database available to QGIS Server as well, via env variable, because the SSL Server configurations are stored in it. 
> 
> Recently (last week), I noticed a possible bug in the auth system whereby the SSL endpoint connected to will throw an SSL error when the endpoint has intermediate certificates that are not stored in QGIS's Authorities tab. Usually, validation would not check for trust of intermediates, only whether a given cert in the chain is valid for the particular use and the eventual trustworthiness of its root Certificate Authority. Essentially, any intermediates need to be trusted as roots CAs until this is fixed. 
> 
> In this case, for a workaround, you will need to either add the intermediate certificates to OpenSSL's referenced trusted roots file/directory, or add them to your Authorities tab in QGIS (which adds them to the authentication database as trusted, by default) then ensure the auth database can be used by QGIS Server for the project. 
> 
> I would need to know more about your particular SSL setup to give any further suggestions here. Unfortunately, "SSL handshake failed" is a too vague, and I am only guessing at the problem above. 
> 
> Regards, 
> 
> Larry Shaffer
> Dakota Cartography
> Black Hills, South Dakota 
> 
> Thanks for any hints, 
> 
> Andreas
> 
> On 2017-01-27 16:31, Neumann, Andreas wrote: 
> 
> Hi, 
> 
> I want to use a cascading WMS in QGIS server. I know it is not ideal, perfomance wise, but it would be only for printing. 
> 
> Problem is that the WMS uses https and QGIS server can't connect. The QGIS server log shows a connect error: 
> 
> Download of capabilities failed: SSL handshake failed 
> 
> curl or wget on the same server works fine with the same ssl connection. 
> 
> Anyone knows how I can overcome this SSL handshake issue? Do I need to set up a separate certificat chain for QGIS server? I hope not ... 
> 
> Thanks for any hints, 
> 
> Andreas
> 
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer [1]
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer [1] 
> 
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer [1]
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer [1]

  

Links:
------
[1] https://lists.osgeo.org/mailman/listinfo/qgis-developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20170131/c917f427/attachment.html>

More information about the Qgis-developer mailing list