Use TLS v1.2 instead of SSL v3 #19743
Comments
|
Author Name: guillaume - (guillaume -) Sorry for the noise, QGIS is already designed with TLS 1.2 |
|
Author Name: Neil Benny (Neil Benny) TLS 1.2 on QGIS only seems to be in place for the 64 bit version (32 bit doesn't work) and I’m having some problems following a recent security upgrade to our WMS which shut down SSL v3. Am I missing something obvious – does it need turned on somewhere? |
|
Author Name: Matt Debont (Matt Debont) We recently had to shut down SSL V3 on our WMS and this issue started cropping up and it does appear to be a 32 bit specific problem which while not a problem for myself, it is hitting a section of our users (can't / won't upgrade to a 64 bit OS). Would be great to know if anyone has figured out how to get TLS 1.2 to work on the 32 bit app however, or if I am simply missing something obvious. |
|
Author Name: Jürgen Fischer (@jef-n) Matt Debont wrote:
Probably not, because it takes a newer Qt version - and a rebuild of everything depending on it. |
|
Author Name: Jürgen Fischer (@jef-n)
|
|
Author Name: David Lee (David Lee) Please can you explain whether this means that this problem will be fixed and, if so, the expected timescale? The lack of TLS support in the 32 bit version of QGIS is having a major impact upon ecologists in the UK since it blocks access to the WMS server of the official UK national biological records centre (National Biodiversity Network Gateway) for users unable to use the 64 bit application. Since QGIS is said to have been designed with TLS 1.2 in place, the lack of TLS functionality in the 32 bit version would appear to be a serious bug rather than merely a "feature request". |
|
Author Name: Jürgen Fischer (@jef-n) Qt in OSGeo4W 32bit was updated to 4.8.6
|
|
Author Name: David Lee (David Lee) It would have been more helpful if you had explained that Qt has only been updated to 4.8.6 in the Network Installer download of 32bit QGIS - "For Advanced Users"! The Standalone version - which will be downloaded by the vast majority of users - still installs QT 4.7.1. |
|
Author Name: Giovanni Manghi (@gioman) David Lee wrote:
FYI the standalone installers are derived/created using the packages in the osgeo4w installer, so it is just a matter to wait for the next (standalone) build. |
|
Author Name: Jürgen Fischer (@jef-n) David Lee wrote:
Sorry for the confusion, I thought "OSGeo4W 32bit" was explicit enough. |
|
Author Name: David Lee (David Lee) Not really. OSGeo4W is installed whether you use the QGIS standalone installer or the network installer, so I initially assumed that they would both deliver the same updated version. The remaining question is - when will the standalone installer be rebuilt and how can we know when it has happened? It's rather inconvenient to have to download everything again for each machine on which you want to install QGIS, so a single download of the standalone package is much more efficient. |
|
Author Name: Giovanni Manghi (@gioman) David Lee wrote:
no, it is not like that. If you install qgis standalone then osgeo4w is not installed. But QGIS standalone is made of the very same (binary) packages that are available in osgeo4w. In fact in the qgis source code you even have a script that allows you to build the standalone installer. The script takes the packages from the osgeo4w repository and "assemble" them into the standalone installer. |
|
Author Name: David Lee (David Lee) Clearly I'm just confused! Can anyone answer the question "When will the Standalone installer be rebuilt to include the latest version of QT"? Alternatively, Giovanni's reply suggests that I should be able to create a standalone installer myself from the OSGeo4W Advanced installer that I could then share with our other 32bit users. Is that the case and if so how do I do it? Sorry if I'm being particularly dim! |
|
Author Name: Giovanni Manghi (@gioman) David Lee wrote:
nope, it just installs the same command line shell, among the other things.
I believe that are rebuilt when necessary, for example when a serious bug is backported, or something like that. Right now the worst case scenario is that you will have a new standalone installers in one month, as qgis 2.8 is due in more or less 30 days.
https://github.com/qgis/QGIS/blob/master/ms-windows/osgeo4w/creatensis.pl |
qgib
added
Feature Request
High Priority
Data Provider
Author Name: guillaume - (guillaume -)
Original Redmine Issue: 11473
Redmine category:web_services_clients/wms
Assignee: Jürgen Fischer
For HTTPS connections, QGIS uses SSL V3 which is old and weak (a major failure has been discovered recently, see https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability). This weakness and the Poodle vulnerability are going to make most servers stop using SSL v3 as recommended. Hence, QGIS won't be able to establish a connection to them.
QGIS should move to TLS 1.2 quickly.
Best regards
Related issue(s): #19472 (relates), #19749 (relates), #19769 (relates)
Redmine related issue(s): 11145, 11479, 11499
The text was updated successfully, but these errors were encountered: