I've done a little bit more research on SSL and certificates, and I'm
probably going to close this topic with this email (unless someone wants to
mention something else).
The one certificate that is needed for the Avogadro web fecthes (
https://cactus.nci.nih.gov/) is DigiCert Global Root CA. It appears that
most computers nowadays have it on them if they have been updated. On linux
computers, it appears that the certificates are stored in /etc/ssl/certs.
My Ubuntu 16.04 computer already has that certificate on it (where it got
it, I'm not sure, but it is probably from some common installation like
Firefox or something). Unfortunately, as per usual, Windows appears to make
things more complicated than they need to be: the ssl certificates for
Windows are scattered in multiple directories. However, one can see which
certificates are on the computer by running the certmgr.msc program (it
comes with Windows). The Windows 7 computer I have that was failing at the
network fetches did not have the DigiCert Global Root CA, but after
updating the web browsers (firefox and google chrome) and restarting, it
now does. And the network fetches now work fine.
Because it appears that the DigiCert Global Root CA certificate comes on
most computers by default, I don't think that we need to put it into the
Avogadro install. If someone is missing the certificate, either they can
update their web browsers and their OS or download the certificate directly
via https://www.digicert.com/digicert-root-certificates.htm. It is listed
there as one of the certificates.
We can keep an eye out and see if people have issues with the web fetches,
but I don't think they will. As long as Qt has SSL enabled and we install
libeay32.dll and ssleay32.dll into the avogadro bin, I think it will work
fine. If it doesn't work for them, the SSL errors printed from the code in
this pull request will help: https://github.com/cryos/avogadro/pull/827
But it will probably be due to the certificate being missing, and we can
just show them where to install it or tell them to update their web
browsers.
Let me know if anyone wants to say anything else about this.
Thanks,
Patrick
On Fri, Jun 10, 2016 at 7:45 PM, Patrick Avery <psav...@buffalo.edu> wrote:
> The certificate fix worked! It took me a while, though, because I found
> out eventually that I needed to use a different certificate than the one I
> was using (needed the DigiCert certificate)...
>
> So here's what the status appears to be with it:
>
> If we make sure Qt is compiled on Windows with SSL features enabled, and
> we install libeay32.dll and ssleay32.dll into the bin directory, the HTTPS
> network requests to https://cactus.nci.nih.gov/ seem to work on several
> computers. It works on mine (Windows 10), it works on another Windows 10
> desktop, and it worked on a Windows 7 computer. However, there is another
> Windows 7 computer that was giving me great difficulty - it was failing
> because of the error message:
>
> "The issuer certificate of a locally looked up certificate could not be
> found"
>
> I'm guessing this is because some computers are missing the DigiCert
> certificate. I'm not sure what determines whether a computer has it or not.
> We can install the certificate (it is 2 kB) into the bin directory and use
> the following code to load it:
>
> QString certName = QString("digicertroot.crt");
>
> // Read the SSL certificate
> qDebug() << "Reading " << certName << "...";
> QFile certFile(certName);
> certFile.open(QIODevice::ReadOnly);
> const QByteArray bytes = certFile.readAll();
> certFile.close();
>
> // Create a certificate object
> const QSslCertificate cert(bytes);
> qDebug() << "certificate info is:" << cert.expiryDate() <<
> cert.version()
> << cert.serialNumber() << cert.isNull()
> << cert.issuerInfo(QSslCertificate::Organization);
>
> // Add this certificate to all SSL connections
> QSslSocket::addDefaultCaCertificate(cert);
>
> This only needs to be called once and then all requests to "
> https://cactus.nci.nih.gov/"; will work. So I've been calling it with the
> main function (although I know we can probably come up with a better place
> to call it...).
>
> So I guess the question is: should we add the DigiCert certificate to the
> install for Avogadro and add it using the code above? Are we allowed to
> pass around certificates in installs?
>
> Thanks,
> Patrick
>
> On Fri, Jun 10, 2016 at 1:24 AM, Patrick Avery <psav...@buffalo.edu>
> wrote:
>
>> So, I got it to print out the SSL error message on the computer that it
>> wasn't working on. Here's what the error message says:
>>
>> "The issuer certificate of a locally looked up certificate could not be
>> found"
>>
>> "SSL handshake failed"
>>
>> Perhaps I'll need to add the certificates of the main websites that it
>> visits...
>>
>> On Thu, Jun 9, 2016 at 3:39 PM, Patrick Avery <psav...@buffalo.edu>
>> wrote:
>>
>>> Thank you, Marcus. It looks as though it is indeed an SSL issue, and it
>>> appears as though I'm getting close to solving the problem. I got it to
>>> work on my own personal computer - which is good. However, I haven't gotten
>>> it to work on other computers as of yet.
>>>
>>> I compiled OpenSSL, and I recompiled Qt 4.8.6 making sure SSL options
>>> were enabled (and I linked the openssl libraries and included the openssl
>>> include file). The QtNetwork4.dll grew about 200 kB in size (I believe
>>> indicating the added SSL features). With all of that done, the network
>>> features with those servers started working on my computer - as long as I
>>> had libeay32.dll and ssleay32.dll in my PATH. I manually added them to the
>>> install for now (for testing) to the AvoCPack.cmake:
>>>
>>> file (GLOB libeay_DLL "C:/usr/local/ssl/bin/libeay32.dll")
>>> file (GLOB ssleay_DLL "C:/usr/local/ssl/bin/ssleay32.dll")
>>> install(FILES ${libeay_DLL} DESTINATION bin)
>>> install(FILES ${ssleay_DLL} DESTINATION bin)
>>>
>>> However, despite all of this, it doesn't seem to be working yet on the
>>> Windows 7 computer I have here. On the Windows 7
>>> computer, QSslSocket::supportsSsl() still returns true now despite the
>>> https stuff not working (
>>> http://doc.qt.io/qt-4.8/qsslsocket.html#supportsSsl).
>>>
>>> I'm not entirely sure where to go from here. I'm going to try to
>>> recompile Qt with the "-openssl-linked" flag (
>>> http://doc.qt.io/qt-4.8/ssl.html) to see if that fixes it. Compiling Qt
>>> takes a while, though...
>>>
>>> On Wed, Jun 8, 2016 at 8:20 PM, Marcus D. Hanwell <
>>> marcus.hanw...@kitware.com> wrote:
>>>
>>>> I can confirm that this used to work on Windows before the server
>>>> changes. I built those binaries, but I also demonstrated the feature
>>>> on a number of Windows machines. I think it is simply an SSL issue,
>>>> and after a quick search found,
>>>>
>>>> http://stackoverflow.com/questions/3516143/qt-ssl-support-missing
>>>>
>>>> We had similar issues with CMake too, where the default binary did not
>>>> distribute with SSL enabled due to export issues (i.e. mainly the US
>>>> government defining strong encryption as a munition subject to export
>>>> controls).
>>>>
>>>> I would suspect that this is the main cause, but it is not something
>>>> that was ever a concern back then - few services used SSL. It looks
>>>> like we would need to find and add Windows SSL DLLs to the
>>>> distribution on Windows.
>>>>
>>>> On Wed, Jun 8, 2016 at 4:42 PM, Geoffrey Hutchison <geo...@pitt.edu>
>>>> wrote:
>>>> > I'm stumped. I had network fetch problems on Mac, but the issue was
>>>> > redirects from HTTP -> HTTPS. That's fixed.
>>>> >
>>>> > I'm not sure where the problem would be for Windows..
>>>> >
>>>> >
>>>> > From: Patrick Avery <psav...@buffalo.edu>
>>>> >
>>>> > Well, I ran a few tests. From what I can tell, the network features
>>>> haven't
>>>> > worked for a while for Windows. We have a lab laptop that runs
>>>> Windows 7 on
>>>> > it. My personal laptop has Windows 10.
>>>> >
>>>> > I tested both Avogadro 1.2.0 and Avogadro 1.1.1 via this link:
>>>> >
>>>> http://sourceforge.net/projects/avogadro/files/avogadro/1.1.1/Avogadro-1.1.1-win32.exe/download
>>>> >
>>>> > Neither the IUPAC name nor the import molecule by chemical name
>>>> worked for
>>>> > any combination (Windows 7 Avogadro 1.1.1, Windows 7 Avogadro 1.2.0,
>>>> Windows
>>>> > 10 Avogadro 1.1.1, and Windows 10 Avogadro 1.2.0).
>>>> >
>>>> > So yeah, it doesn't look like the network features have been working
>>>> for
>>>> > Windows for a while. Perhaps no one noticed because most Windows
>>>> users don't
>>>> > use the network features...
>>>> >
>>>> > Oh, and the urls do use https except for this one:
>>>> >
>>>> https://github.com/cryos/avogadro/blob/50bef6066f81734f62f94e1b2ab06c34b9680dee/libavogadro/src/extensions/networkfetchextension.cpp#L108
>>>> >
>>>> > But that wasn't one I was testing with anyways.
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ------------------------------------------------------------------------------
>>>> > What NetFlow Analyzer can do for you? Monitors network bandwidth and
>>>> traffic
>>>> > patterns at an interface-level. Reveals which users, apps, and
>>>> protocols are
>>>> > consuming the most bandwidth. Provides multi-vendor support for
>>>> NetFlow,
>>>> > J-Flow, sFlow and other flows. Make informed decisions using capacity
>>>> > planning reports.
>>>> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
>>>> > _______________________________________________
>>>> > Avogadro-devel mailing list
>>>> > Avogadro-devel@lists.sourceforge.net
>>>> > https://lists.sourceforge.net/lists/listinfo/avogadro-devel
>>>> >
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and
>>>> traffic
>>>> patterns at an interface-level. Reveals which users, apps, and
>>>> protocols are
>>>> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>>>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>>>> planning reports.
>>>> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
>>>> _______________________________________________
>>>> Avogadro-devel mailing list
>>>> Avogadro-devel@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/avogadro-devel
>>>>
>>>
>>>
>>
>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Avogadro-devel mailing list
Avogadro-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/avogadro-devel
