Bug report #13471

SSL error(s) on What's New web page load

Added by Larry Shaffer over 8 years ago. Updated over 8 years ago.

Status:Closed
Priority:High
Assignee:Larry Shaffer
Category:Authentication system
Affected QGIS version:master Regression?:No
Operating System: Easy fix?:No
Pull Request or Patch supplied:No Resolution:
Crashes QGIS or corrupts data:No Copied to github as #:21518

Description

For some reason, the Qt application trusted Certificate Authorities are not being loaded into the QgsWebPage upon requests, resulting in:

https://www.google.com/jsapi
Unable To Get Local Issuer Certificate...
Certificate Untrusted...

Started happening after the proxy support, i.e. using QgsNetworkAccessManager, was added to the new welcome page.

Setting the SSL cert exception is a workaround, but should not be needed. It appears that no trusted Certificate Authorities are being added to the QgsWebView requests. This is very odd, especially because if you inspect the certificate chain and trusted certs from within the SSL error dialog everything is there. I even tried adding the specific cert authorities to QGIS's new cert manager, with no luck.

Next I tried commenting out the QNetworkRequest hack in QgsNetworkAccessManager for HTTPS requests, but that had no effect either.

It seems that the QWebPage requests are maybe in a different thread and the SSL errors, as handled by the QgisApp, are just a response to a signal, but not being honored in the calling thread. Still it doesn't explain why the CAs are not being passed to the QgsWebView to begin with.

cert-authority-test.py Magnifier (1.04 KB) Larry Shaffer, 2015-10-03 10:18 AM

Associated revisions

Revision 95c377a6
Added by Matthias Kuhn over 8 years ago

Remove news feed tab from start page

Fix #13497
Fix #13471

History

#1 Updated by Anonymous over 8 years ago

  • Status changed from Open to Closed

#2 Updated by Larry Shaffer over 8 years ago

While the web page exhibiting the issue has been removed from master, the issue still stands: https://www.google.com/jsapi does not have its certificate chain validated properly.

Initially, I thought it was related to the new authentication system (and spent a bunch of effort trying to find how it affected SSL cert chain validation), but it is not related to the new auth system at all. I wrote a small PyQt4 script (attached cert-authority-test.py) to test both QNetworkAccessManager and QWebPage outside of QGIS's custom implementation of both.

Try:

  • Running the script shows a valid HTTPS result for the 'https://qgis.org/version.txt' URL.
  • Comment out the url = 'https://qgis.org/version.txt' line and rerun script. Results in SSL errors for 'https://www.google.com/jsapi'.

You can play around with the script a bit:

  • Uncomment wv.page().setNetworkAccessManager(nam) line to test setting an outside manager. Same result as internal manager: SSL errors for 'https://www.google.com/jsapi'.
  • Comment out all lines that start with 'wv' and uncomment the nam.sslErrors ... block. Shows same result if calling get() on QNetworkAccessManager: SSL errors for 'https://www.google.com/jsapi'.

Essentially, Qt4 certificate chain validation has an issue with this particular chain. I tried doing all the chain validation through QCA and ended up with the same errors. If I were to guess, both Qt4 and QCA have issues validating an SSL cert chain which contains a cert with an Elliptic Curve Public Key which https://www.google.com uses.

Could be that Qt5 has this issue fixed (untested).

#3 Updated by Matthias Kuhn over 8 years ago

No error for me on Fedora / QGIS 2.10.1 libs.

I also did not get this error on app startup with current master. Basically SSL certificate verification seems to work perfectly fine.

Adding url = 'https://tv.eurosport.com/' shows an SSL error, I used this to check that checks are actually performed.

Qt version: 4.8.6

Also available in: Atom PDF