Bug report #13471
SSL error(s) on What's New web page load
|Affected QGIS version:||master||Regression?:||No|
|Operating System:||Easy fix?:||No|
|Pull Request or Patch supplied:||No||Resolution:|
|Crashes QGIS or corrupts data:||No||Copied to github as #:||21518|
For some reason, the Qt application trusted Certificate Authorities are not being loaded into the
QgsWebPage upon requests, resulting in:
https://www.google.com/jsapi Unable To Get Local Issuer Certificate... Certificate Untrusted...
Started happening after the proxy support, i.e. using
QgsNetworkAccessManager, was added to the new welcome page.
Setting the SSL cert exception is a workaround, but should not be needed. It appears that no trusted Certificate Authorities are being added to the
QgsWebView requests. This is very odd, especially because if you inspect the certificate chain and trusted certs from within the SSL error dialog everything is there. I even tried adding the specific cert authorities to QGIS's new cert manager, with no luck.
Next I tried commenting out the
QNetworkRequest hack in
QgsNetworkAccessManager for HTTPS requests, but that had no effect either.
It seems that the
QWebPage requests are maybe in a different thread and the SSL errors, as handled by the
QgisApp, are just a response to a signal, but not being honored in the calling thread. Still it doesn't explain why the CAs are not being passed to the
QgsWebView to begin with.
#2 Updated by Larry Shaffer over 4 years ago
- File cert-authority-test.py added
While the web page exhibiting the issue has been removed from master, the issue still stands: https://www.google.com/jsapi does not have its certificate chain validated properly.
Initially, I thought it was related to the new authentication system (and spent a bunch of effort trying to find how it affected SSL cert chain validation), but it is not related to the new auth system at all. I wrote a small PyQt4 script (attached cert-authority-test.py) to test both
QWebPage outside of QGIS's custom implementation of both.
- Running the script shows a valid HTTPS result for the 'https://qgis.org/version.txt' URL.
- Comment out the
url = 'https://qgis.org/version.txt'line and rerun script. Results in SSL errors for 'https://www.google.com/jsapi'.
You can play around with the script a bit:
wv.page().setNetworkAccessManager(nam)line to test setting an outside manager. Same result as internal manager: SSL errors for 'https://www.google.com/jsapi'.
- Comment out all lines that start with 'wv' and uncomment the
nam.sslErrors ...block. Shows same result if calling
QNetworkAccessManager: SSL errors for 'https://www.google.com/jsapi'.
Essentially, Qt4 certificate chain validation has an issue with this particular chain. I tried doing all the chain validation through QCA and ended up with the same errors. If I were to guess, both Qt4 and QCA have issues validating an SSL cert chain which contains a cert with an Elliptic Curve Public Key which https://www.google.com uses.
Could be that Qt5 has this issue fixed (untested).
#3 Updated by Matthias Kuhn over 4 years ago
No error for me on Fedora / QGIS 2.10.1 libs.
I also did not get this error on app startup with current master. Basically SSL certificate verification seems to work perfectly fine.
url = 'https://tv.eurosport.com/' shows an SSL error, I used this to check that checks are actually performed.
Qt version: 4.8.6