Bug report #15687
Updated by Giovanni Manghi over 7 years ago
I found a misalignement in SSL Root Certificate Authorities (CAs) caching at least in WIN. This bug has been found developing a solution to #15617
ABSTRACT
A brief description of the bug(?) and after a detailed step procedure to reproduce it:
Any SO has a SSL conf has a list of CAs. These are used to setup the ssl communication to verify if peer cert can be trusted or not. If the system CAs list change this would affect the subsequent connection.
I found that if I remove or add a CA, next connections "remember" the previous CA list for a while (some minutes).
to reproduce the error I tried to connect to https://qgis.boundlessgeo.com that is signed by:
"AddTrust CA External CA Root"
By default AddTrust is not present in Windows CAs. But.
* if it is present it can be removed using "certmgr.msc"
* if not present y can be automatically added by OS just browsing in a windows keystore capable browser (no Firefox) the following link: https://qgis.boundlessgeo.com/plugins/plugins.xml
The OS will check the URL CA and will check if it can be trusted, and if so, it will be added in the keystore.
PREMISE:
To generate sslError I ued to connect to a erroneous OWS service, eg WMS or WFS. The reason is to use only pure c++ code.
The steps to reproduce the errors are on WIN7 (but should be the same on any win OS):
* remove AddTrust CA if present
* in QGIS trying to connect to https://qgis.boundlessgeo.com/plugins/plugins.xml using wms service (=> only c++ code)
* => sslError dialog will be opened. !!! Abort it and not push the Ignore button !!!
* load https://qgis.boundlessgeo.com/plugins/plugins.xml in Explorer and verify that "AddTrust" has been added in certmgr.msc
* executing the following python code in console
<pre>
QgsAuthManager.instance().rebuildCaCertsCache()
QgsAuthManager.instance().rebuildCertTrustCache()
QgsAuthManager.instance().rebuildTrustedCaCertsCache()
QgsAuthManager.instance().rebuildIgnoredSslErrorCache()
</pre>
You can verify that new CA is updated in qgis in settings->options->authentication->Manage Certificates->Authorities
* tried to reconnect to https://qgis.boundlessgeo.com/plugins/plugins.xml using wms service
* !!!continuing!!! to have sslError dialog
* waiting a while (5'?) I'm able to receive a WMS error => no more sslError
The procedure to reproduce the bug can be also inverted:
# started qgis having the CA AddTrust installed (no sslerror)
# connect to wms service https://qgis.boundlessgeo.com/plugins/plugins.xml => wms error but not sslError dialog
# removed AddTrust
# executed the following python code in console
<pre>
QgsAuthManager.instance().rebuildCaCertsCache()
QgsAuthManager.instance().rebuildCertTrustCache()
QgsAuthManager.instance().rebuildTrustedCaCertsCache()
QgsAuthManager.instance().rebuildIgnoredSslErrorCache()
</pre>
You can verify that CA is removed in qgis in settings->options->authentication->Manage Certificates->Authorities
# connect to WMS => still wms error but not sslError dialog
# after a while the sslError come back connecting to WMS service
ABSTRACT
A brief description of the bug(?) and after a detailed step procedure to reproduce it:
Any SO has a SSL conf has a list of CAs. These are used to setup the ssl communication to verify if peer cert can be trusted or not. If the system CAs list change this would affect the subsequent connection.
I found that if I remove or add a CA, next connections "remember" the previous CA list for a while (some minutes).
to reproduce the error I tried to connect to https://qgis.boundlessgeo.com that is signed by:
"AddTrust CA External CA Root"
By default AddTrust is not present in Windows CAs. But.
* if it is present it can be removed using "certmgr.msc"
* if not present y can be automatically added by OS just browsing in a windows keystore capable browser (no Firefox) the following link: https://qgis.boundlessgeo.com/plugins/plugins.xml
The OS will check the URL CA and will check if it can be trusted, and if so, it will be added in the keystore.
PREMISE:
To generate sslError I ued to connect to a erroneous OWS service, eg WMS or WFS. The reason is to use only pure c++ code.
The steps to reproduce the errors are on WIN7 (but should be the same on any win OS):
* remove AddTrust CA if present
* in QGIS trying to connect to https://qgis.boundlessgeo.com/plugins/plugins.xml using wms service (=> only c++ code)
* => sslError dialog will be opened. !!! Abort it and not push the Ignore button !!!
* load https://qgis.boundlessgeo.com/plugins/plugins.xml in Explorer and verify that "AddTrust" has been added in certmgr.msc
* executing the following python code in console
<pre>
QgsAuthManager.instance().rebuildCaCertsCache()
QgsAuthManager.instance().rebuildCertTrustCache()
QgsAuthManager.instance().rebuildTrustedCaCertsCache()
QgsAuthManager.instance().rebuildIgnoredSslErrorCache()
</pre>
You can verify that new CA is updated in qgis in settings->options->authentication->Manage Certificates->Authorities
* tried to reconnect to https://qgis.boundlessgeo.com/plugins/plugins.xml using wms service
* !!!continuing!!! to have sslError dialog
* waiting a while (5'?) I'm able to receive a WMS error => no more sslError
The procedure to reproduce the bug can be also inverted:
# started qgis having the CA AddTrust installed (no sslerror)
# connect to wms service https://qgis.boundlessgeo.com/plugins/plugins.xml => wms error but not sslError dialog
# removed AddTrust
# executed the following python code in console
<pre>
QgsAuthManager.instance().rebuildCaCertsCache()
QgsAuthManager.instance().rebuildCertTrustCache()
QgsAuthManager.instance().rebuildTrustedCaCertsCache()
QgsAuthManager.instance().rebuildIgnoredSslErrorCache()
</pre>
You can verify that CA is removed in qgis in settings->options->authentication->Manage Certificates->Authorities
# connect to WMS => still wms error but not sslError dialog
# after a while the sslError come back connecting to WMS service