Feature request #15617

QGIS/Qt does not trigger auto-import of Windows root Certificate Authorities

Added by Luigi Pirelli over 7 years ago. Updated almost 7 years ago.

Status:Open
Priority:Normal
Assignee:Larry Shaffer
Category:Authentication system
Pull Request or Patch supplied:No Resolution:
Easy fix?:No Copied to github as #:23540

Description

The following steps demonstrate that QGIS/Qt is not able to trigger auto-importing of trusted root CAs by the Windows OS. Since OpenSSL is used and not the appropriate Win Crypto API calls

To verify, the procedure is:
  1. Open the Windows certificate manager application (certmgr.msc) and remove the "AddTrust External CA Root" certificate if it exists (Note: removal is not detrimental to the Win OS, as this CA is not generally installed with a fresh copy of the OS, and it can readily be re-imported)
  2. Leave the certificate manager open
  3. Open QGIS and add the following plugin repo https://qgis.boundlessgeo.com/plugins.xml?qgis=2.14 (this is for testing only, because the endpoint is known to exihibt the issue; other general, non-plugin-repo SSL endpoints may as well)
  4. Reload plugin repos
  5. Confirm loading the new repo URL generates an SSL Error dialog indicating a missing root CA. Because boundlessgeo.com's SSL certificate is signed by "AddTrust External CA Root" the error should be produced. (Do not ignore or save an override configuration for this error, but abort the error to avoid the connection from being cached)
  6. Open a Web browser based upon native APIs for interacting with the Win keystore, e.g. Chrome , Edge or Internet Explorer (not Firefox, since it has its own internal keystore)
  7. Go to the link https://qgis.boundlessgeo.com/plugins.xml?qgis=2.14 (automatically the Windows OS should install the "AddTrust External CA Root" certificate, in the background, since it is from Comodo, a partner of the Trusted Root Certificate program hosted by Microsoft: http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants-v-2016-april.aspx )
  8. Refresh the certificate manager list of CAs to verify that "AddTrust External CA Root" has been added automatically (see screen shot attachment for Win 10)
  9. WITHOUT closing QGIS, repeat reloading of the plugin repos
  10. Confirm the same SSL error, and clicking on button "Connection trusted CAs" does not list the "AddTrust External CA Root" cert. Qt is not synched with current status/changes of the Win OS keystore. (NOTE: this is currently expected behavior, as the trusted root CA is not continuously updated by QgsAuthManager, though it should be updated in this circumstance)
  11. Relaunch QGIS
  12. Verify the plugin repo connection now produces no SSL error, as the Win OS CA trusted root list has be synchronized and cached on QGIS startup and the "AddTrust External CA Root" cert is now available.

This shows the following issues that need addressed:

  • QgsAuthManager needs to update its cache whenever the Win OS keystore's trusted root CAs change (Qt may already do this, but QgsAuthManager only caches the keystore query of the root CAs on QGIS startup, or when one is added via the GUI in QGIS's Certificate Manager)
  • Connecting to an endpoint in QGIS/Qt that should trigger the Win OS to auto-import the needed CA does not. This would happen if using a normal Web browser built upon Win Crypto API calls.
Proposed solutions:
  • For QgsAuthManager, do quick comparison of Qt-provided root CAs against those that are cached, inside of QgsNetworkAccessManager. Update QgsAuthManager's cache as needed.
  • When SSL error dialog is presented on Windows, and the error(s) contains "missing root CA", add a notification in the dialog that simply explains the issue and offers the user a link or button to open the same URL in the default browser, which would possibly auto-import the root CA (but not if the browser is Firefox). This may be an easier fix than trying to programmatically call the Win Crypto API to possibly auto-update the missing root CA and reattempt the connection.

qgis-trusted-cas-cached.png (448 KB) Larry Shaffer, 2016-09-26 09:22 AM

History

#1 Updated by Giovanni Manghi over 7 years ago

  • Subject changed from QGIS/QT Does not update list of Trusted CAs => need qgi srestart to QGIS/QT Does not update list of Trusted CAs => need QGIS srestart

#2 Updated by Giovanni Manghi over 7 years ago

  • Subject changed from QGIS/QT Does not update list of Trusted CAs => need QGIS srestart to QGIS/QT Does not update list of Trusted CAs => need QGIS restart

#3 Updated by Jürgen Fischer over 7 years ago

  • Project changed from QGIS Redmine (QGIS bug tracker) to QGIS Application

#4 Updated by Giovanni Manghi over 7 years ago

  • Assignee set to Larry Shaffer

#5 Updated by Larry Shaffer over 7 years ago

  • Target version set to Version 2.18
  • Category set to Authentication system

#6 Updated by Larry Shaffer over 7 years ago

  • Subject changed from QGIS/QT Does not update list of Trusted CAs => need QGIS restart to QGIS/Qt does not trigger auto-import of Windows root Certificate Authorities

#8 Updated by Larry Shaffer over 7 years ago

Regarding the qgis-trusted-cas-cached.png attachment. The left part of the image shows the default trusted root CAs for a fresh install of Windows 10, plus the "AddTrust External CA Root" certificate that was added automatically by the Win OS via its hosted Trusted Root Certificate program.

#9 Updated by Luigi Pirelli over 7 years ago

during dev I found a possible bug reported in #15687

#10 Updated by Luigi Pirelli over 7 years ago

I didn't find any solution to #15687 => the only way to reload ssl CA cache without waiting some minutes for the update is to re-start qgis!

#11 Updated by Luigi Pirelli over 7 years ago

I'll prepare a PR from the following branch:

https://github.com/boundlessgeo/qgis/tree/CAs_import_via_keystore

the fix is applicable only on Windows. No CA problems found on linux and mac.

#12 Updated by Luigi Pirelli over 7 years ago

just waiting to have a UX review before to create the PR

#13 Updated by Luigi Pirelli over 7 years ago

a screencast to show hos the interface works
https://youtu.be/pN30XE7r7_k

#15 Updated by Luigi Pirelli over 7 years ago

fix only for 2.14 and release-2_18 because probably the issue is not present in qgis3 due the different ssl infrastructure offered by qt5

#16 Updated by Giovanni Manghi almost 7 years ago

  • Easy fix? set to No

Also available in: Atom PDF