SSL error(s) on What's New web page load

[qgib]

Author Name: Larry Shaffer (Larry Shaffer)
Original Redmine Issue: 13471
Affected QGIS version: master
Redmine category:authentication_system
Assignee: Larry Shaffer

---

For some reason, the Qt application trusted Certificate Authorities are not being loaded into the @QgsWebPage@ upon requests, resulting in:

https://www.google.com/jsapi
Unable To Get Local Issuer Certificate...
Certificate Untrusted...

Started happening after the proxy support, i.e. using @QgsNetworkAccessManager@, was added to the new welcome page.

Setting the SSL cert exception is a workaround, but should not be needed. It appears that no trusted Certificate Authorities are being added to the @QgsWebView@ requests. This is very odd, especially because if you inspect the certificate chain and trusted certs from within the SSL error dialog everything is there. I even tried adding the specific cert authorities to QGIS's new cert manager, with no luck.

Next I tried commenting out the @QNetworkRequest@ hack in @QgsNetworkAccessManager@ for HTTPS requests, but that had no effect either.

It seems that the @QWebPage@ requests are maybe in a different thread and the SSL errors, as handled by the @QgisApp@, are just a response to a signal, but not being honored in the calling thread. Still it doesn't explain why the CAs are not being passed to the @QgsWebView@ to begin with.

---

• cert-authority-test.py (Larry Shaffer)

[qgib]

Author Name: Anónimo (Anónimo)

---

Fixed in changeset "95c377a607757b4cc9d03a6e399b5516d0b44dcd".

---

• status_id was changed from Open to Closed

[qgib]

Author Name: Larry Shaffer (Larry Shaffer)

---

While the web page exhibiting the issue has been removed from master, the issue still stands: https://www.google.com/jsapi does not have its certificate chain validated properly.

Initially, I thought it was related to the new authentication system (and spent a bunch of effort trying to find how it affected SSL cert chain validation), but it is not related to the new auth system at all. I wrote a small PyQt4 script (attached cert-authority-test.py) to test both @QNetworkAccessManager@ and @QWebPage@ outside of QGIS's custom implementation of both.

Try:

• Running the script shows a valid HTTPS result for the 'https://qgis.org/version.txt' URL.
• Comment out the @url = 'https://qgis.org/version.txt'@ line and rerun script. Results in SSL errors for 'https://www.google.com/jsapi'.

You can play around with the script a bit:

• Uncomment @wv.page().setNetworkAccessManager(nam)@ line to test setting an outside manager. Same result as internal manager: SSL errors for 'https://www.google.com/jsapi'.
• Comment out all lines that start with 'wv' and uncomment the @nam.sslErrors ...@ block. Shows same result if calling @get()@ on @QNetworkAccessManager@: SSL errors for 'https://www.google.com/jsapi'.

Essentially, Qt4 certificate chain validation has an issue with this particular chain. I tried doing all the chain validation through QCA and ended up with the same errors. If I were to guess, both Qt4 and QCA have issues validating an SSL cert chain which contains a cert with an "Elliptic Curve Public Key":https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/ which https://www.google.com uses.

Could be that Qt5 has this issue fixed (untested).

---

• 9140 was configured as cert-authority-test.py

---

• cert-authority-test.py (Larry Shaffer)

[qgib]

Author Name: Matthias Kuhn (@m-kuhn)

---

No error for me on Fedora / QGIS 2.10.1 libs.

I also did not get this error on app startup with current master. Basically SSL certificate verification seems to work perfectly fine.

Adding @url = 'https://tv.eurosport.com/'@ shows an SSL error, I used this to check that checks are actually performed.

Qt version: 4.8.6