Feature request #15617
QGIS/Qt does not trigger auto-import of Windows root Certificate Authorities
|Pull Request or Patch supplied:
|Copied to github as #:
The following steps demonstrate that QGIS/Qt is not able to trigger auto-importing of trusted root CAs by the Windows OS. Since OpenSSL is used and not the appropriate Win Crypto API callsTo verify, the procedure is:
- Open the Windows certificate manager application (certmgr.msc) and remove the "AddTrust External CA Root" certificate if it exists (Note: removal is not detrimental to the Win OS, as this CA is not generally installed with a fresh copy of the OS, and it can readily be re-imported)
- Leave the certificate manager open
- Open QGIS and add the following plugin repo https://qgis.boundlessgeo.com/plugins.xml?qgis=2.14 (this is for testing only, because the endpoint is known to exihibt the issue; other general, non-plugin-repo SSL endpoints may as well)
- Reload plugin repos
- Confirm loading the new repo URL generates an SSL Error dialog indicating a missing root CA. Because boundlessgeo.com's SSL certificate is signed by "AddTrust External CA Root" the error should be produced. (Do not ignore or save an override configuration for this error, but abort the error to avoid the connection from being cached)
- Open a Web browser based upon native APIs for interacting with the Win keystore, e.g. Chrome , Edge or Internet Explorer (not Firefox, since it has its own internal keystore)
- Go to the link https://qgis.boundlessgeo.com/plugins.xml?qgis=2.14 (automatically the Windows OS should install the "AddTrust External CA Root" certificate, in the background, since it is from Comodo, a partner of the Trusted Root Certificate program hosted by Microsoft: http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants-v-2016-april.aspx )
- Refresh the certificate manager list of CAs to verify that "AddTrust External CA Root" has been added automatically (see screen shot attachment for Win 10)
- WITHOUT closing QGIS, repeat reloading of the plugin repos
- Confirm the same SSL error, and clicking on button "Connection trusted CAs" does not list the "AddTrust External CA Root" cert. Qt is not synched with current status/changes of the Win OS keystore. (NOTE: this is currently expected behavior, as the trusted root CA is not continuously updated by QgsAuthManager, though it should be updated in this circumstance)
- Relaunch QGIS
- Verify the plugin repo connection now produces no SSL error, as the Win OS CA trusted root list has be synchronized and cached on QGIS startup and the "AddTrust External CA Root" cert is now available.
This shows the following issues that need addressed:
- QgsAuthManager needs to update its cache whenever the Win OS keystore's trusted root CAs change (Qt may already do this, but QgsAuthManager only caches the keystore query of the root CAs on QGIS startup, or when one is added via the GUI in QGIS's Certificate Manager)
- Connecting to an endpoint in QGIS/Qt that should trigger the Win OS to auto-import the needed CA does not. This would happen if using a normal Web browser built upon Win Crypto API calls.
- For QgsAuthManager, do quick comparison of Qt-provided root CAs against those that are cached, inside of QgsNetworkAccessManager. Update QgsAuthManager's cache as needed.
- When SSL error dialog is presented on Windows, and the error(s) contains "missing root CA", add a notification in the dialog that simply explains the issue and offers the user a link or button to open the same URL in the default browser, which would possibly auto-import the root CA (but not if the browser is Firefox). This may be an easier fix than trying to programmatically call the Win Crypto API to possibly auto-update the missing root CA and reattempt the connection.
#8 Updated by Larry Shaffer over 7 years ago
Regarding the qgis-trusted-cas-cached.png attachment. The left part of the image shows the default trusted root CAs for a fresh install of Windows 10, plus the "AddTrust External CA Root" certificate that was added automatically by the Win OS via its hosted Trusted Root Certificate program.
#11 Updated by Luigi Pirelli over 7 years ago
I'll prepare a PR from the following branch:
the fix is applicable only on Windows. No CA problems found on linux and mac.