[Qgis-user] WMS via https - "SSL handshake failed"

Larry Shaffer larrys at dakotacarto.com
Thu Jan 5 11:06:48 PST 2017 

Hi John,

On Thu, Jan 5, 2017 at 11:23 AM, John Cartwright <
john.c.cartwright at comcast.net> wrote:

> Thanks.  I used wireshark to trace the session and it appears that QGIS is
> attempting to make the connection with TLSv1 which I think is at least part
> of the problem.
>
> Can either of you tell me what protocol and cipher suites you’re using?
>  what OS you’re running on?  Is there anyway to force QGIS to use a
> different protocol?
>

In Options -> Authentication -> Manage Certificates -> Servers, which is
where SSL Server configurations are listed after they are optionally
created in the SSL Error dialog. In an SSL Server configuration, you can
set the protocol, though I am unsure why you would *not* want to use TLSv1,
since the SSLv2|3 protocols have known vulnerabilities.

http://drive.dakotacarto.com/qgis/qgis2-ssl-protocols.png

Cipher suites are a bit harder to manage. Although one could use
QSslConfiguration::setCiphers(), this is not supported in QGIS's SSL server
configurations [0]. I believe you would need to do this via OpenSSL
configuration.

[0] http://doc.qt.io/qt-4.8/qsslconfiguration.html#setCiphers

Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota


> Thanks!
>
> —john
>
> On Jan 4, 2017, at 1:59 AM, Pasquale Di Donato <
> pasquale.didonato at gmail.com> wrote:
>
> Hi John,
>
> I can access your service too. Using QGIS 2.14.8.
> Maybe you have an issue with a proxy?
>
> Pasquale
>
> On Wed, Jan 4, 2017 at 12:57 AM, Jorge Gustavo Rocha <jgr at di.uminho.pt>
> wrote:
>
>> Hi John,
>>
>> I've added your WMS service and it works without any problem. I've just
>> added the url and the connect works. The capabilities are displayed.
>>
>> You can check the print screen [1] with your https WMS layer.
>>
>> I'm using QGIS 2.18.2 on Ubuntu. Which OS are you using?
>>
>> Regards,
>>
>> Jorge Gustavo
>>
>> [1] http://webgis.di.uminho.pt/~jgr/wms%20with%20https.png
>>
>>
>> Às 17:42 de 03-01-2017, John Cartwright escreveu:
>>
>>> Thanks for your reply Luigi!  To be clear, the WMS service that I’m
>>> trying to connect to does not require a username/password but is only
>>> available via https.  The server (https://maps.ngdc.noaa.gov) has a
>>> valid CA certificate.  I tried adding a SSL Server Configuration
>>>  (preferences -> authentication -> Manage Certificates -> Server) and
>>> while the entry appears to be valid, I still get the SSL Handshake error
>>> when trying add a WMS layer.
>>>
>>> Any further ideas?  Here’s the actual URL I’m trying to add:
>>>
>>> https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade
>>> /MapServer/WMSServer?request=GetCapabilities&service=WMS
>>>
>>> Thanks again for your help!
>>>
>>> —john
>>>
>>>
>>> On Jan 2, 2017, at 1:52 AM, Luigi Pirelli <luipir at gmail.com
>>>> <mailto:luipir at gmail.com>> wrote:
>>>>
>>>> Hi John
>>>>
>>>> SSL is managed storing credentials using the QGIS Authentication
>>>> Manager that store credentials in the same way as Firefox, in a master
>>>> pwd crypted store in your $home/.qgis2/qgis-auth.db.
>>>> You should managed credentials using Settings->options->authentication.
>>>>
>>>> QGIS uses OpenSSL => and specifically can import different king of
>>>> credential method (using plugins => can be expanded). De default auth
>>>> method installed are listed in the documentation:
>>>> https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/a
>>>> uth_overview.html
>>>>
>>>> what is you auth method? can you explain the workflow you followed to
>>>> store and use your credentials?
>>>>
>>>> regards
>>>> Luigi Pirelli
>>>>
>>>> ************************************************************
>>>> **************************************
>>>> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
>>>> * LinkedIn: https://www.linkedin.com/in/luigipirelli
>>>> * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
>>>> * GitHub: https://github.com/luipir
>>>> * Mastering QGIS 2nd Edition:
>>>> *
>>>> https://www.packtpub.com/big-data-and-business-intelligence/
>>>> mastering-qgis-second-edition
>>>> ************************************************************
>>>> **************************************
>>>>
>>>>
>>>> On 29 December 2016 at 22:38, John Cartwright
>>>> <john.c.cartwright at comcast.net> wrote:
>>>>
>>>>> Hello All,
>>>>>
>>>>> I’m trying to use a WMS service over https and get the following
>>>>> error when trying to connect:
>>>>>
>>>>> Failed to download capabilities:
>>>>> Download of capabilities failed: SSL handshake failed
>>>>>
>>>>> The URL works fine in a browser though.  I’m guessing that QGIS and
>>>>> the server are not able to agree on a cipher suite.  Can anyone tell
>>>>> me what ciphers QGIS supports or any way to get more insight into the
>>>>> underlying problem?
>>>>>
>>>>> QGIS is version 2.18.2.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> —john
>>>>>
>>>>> _______________________________________________
>>>>> Qgis-user mailing list
>>>>> Qgis-user at lists.osgeo.org
>>>>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
>>>>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
>>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Qgis-user mailing list
>>> Qgis-user at lists.osgeo.org
>>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
>>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
>>>
>>>
>> J. Gustavo
>> --
>> Jorge Gustavo Rocha
>> Departamento de Informática
>> Universidade do Minho
>> 4710-057 Braga
>> Tel: +351 253604480
>> Fax: +351 253604471
>> Móvel: +351 910333888
>> skype: nabocudnosor
>>
>>
>> _______________________________________________
>> Qgis-user mailing list
>> Qgis-user at lists.osgeo.org
>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
>>
>
> _______________________________________________
> Qgis-user mailing list
> Qgis-user at lists.osgeo.org
> List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
>
>
>
> _______________________________________________
> Qgis-user mailing list
> Qgis-user at lists.osgeo.org
> List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20170105/7f952b59/attachment.html>

More information about the Qgis-user mailing list