Hi I filed the following issue: https://hub.qgis.org/issues/15687 Would be fine to have more confirmation on different Windows versions or othere OSs.
thi sis the text of the issue: *********************** I found a misalignement in SSL Root Certificate Authorities (CAs) caching at least in WIN. This bug has been found developing a solution to: https://hub.qgis.org/issues/15617 ABSTRACT A brief description of the bug(?) and after a detailed step procedure to reproduce it: Any SO has a SSL conf has a list of CAs. These are used to setup the ssl communication to verify if peer cert can be trusted or not. If the system CAs list change this would affect the subsequent connection. I found that if I remove or add a CA, next connections "remember" the previous CA list for a while (some minutes). to reproduce the error I tryied to connect to https://qgis.boundlessgeo.com that is signed by: "AddTrust CA External CA Root" By default AddTrust is not present in Windows CAs. But. - if it is present it can be removed using "certmgr.msc" - if not present y can be automatically added by OS just browsing in a windows keystore capable browser (no Firefox) tghe following link:https://qgis.boundlessgeo.com/plugins/plugins.xml The OS will check the URL CA and will check if it can be trusted, and if so, it will be added in the keystore. PREMISE: To generate sslError I ued to connect to a erroneous OWS service, eg WMS or WFS. The reason is to use only pure c++ code. The steps to reproduce the errors are on WIN7 (but should be the same on any win OS): - remove AddTrust CA if present - in QGIS trying to connect to https://qgis.boundlessgeo.com/plugins/plugins.xml using wms service (=> only c++ code) - => sslError dialog will be opened. !!! ABort it and not push the Ignore button !!! - load https://qgis.boundlessgeo.com/plugins/plugins.xml in Explorer and verify that "AddTrust" has been added in certmgr.msc - executing the following python code in console QgsAuthManager.instance().rebuildCaCertsCache() QgsAuthManager.instance().rebuildCertTrustCache() QgsAuthManager.instance().rebuildTrustedCaCertsCache() QgsAuthManager.instance().rebuildIgnoredSslErrorCache() You can verify that new CA is updated in qgis in settings->options->authentication->Manage Certificates->Authorities - tryed to reconnect to https://qgis.boundlessgeo.com/plugins/plugins.xml using wms service - !!!continuing!!! to have sslError dialog - waiting a while (5'?) I'm able to receive a WMS error => no more sslError The procedure to reproduce the bug can be also inverted: - started qgis having the CA AddTrust installed (no sslerror) - connect to wms service https://qgis.boundlessgeo.com/plugins/plugins.xml => wms error but not sslError dialog - removed AddTrust - executed the following python code in console QgsAuthManager.instance().rebuildCaCertsCache() QgsAuthManager.instance().rebuildCertTrustCache() QgsAuthManager.instance().rebuildTrustedCaCertsCache() QgsAuthManager.instance().rebuildIgnoredSslErrorCache() You can verify that CA is removed in qgis in settings->options->authentication->Manage Certificates->Authorities - connect to WMS => still wms error but not sslError dialog - after a while the sslError come back connecting to WMS service Luigi Pirelli ************************************************************************************************** * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com * LinkedIn: https://www.linkedin.com/in/luigipirelli * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli * GitHub: https://github.com/luipir * Mastering QGIS: https://www.packtpub.com/application-development/mastering-qgis ************************************************************************************************** _______________________________________________ Qgis-developer mailing list [email protected] List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
