QGIS/Qt does not trigger auto-import of Windows root Certificate Authorities

[qgib]

Author Name: Luigi Pirelli (@luipir) Original Redmine Issue: 15617

Redmine category:authentication_system Assignee: Larry Shaffer

---

The following steps demonstrate that QGIS/Qt is not able to trigger auto-importing of trusted root CAs by the Windows OS. Since OpenSSL is used and not the appropriate Win Crypto API calls

To verify, the procedure is:

1. Open the Windows certificate manager application (certmgr.msc) and remove the "AddTrust External CA Root" certificate if it exists (Note: removal is not detrimental to the Win OS, as this CA is not generally installed with a fresh copy of the OS, and it can readily be re-imported)
2. Leave the certificate manager open
3. Open QGIS and add the following plugin repo https://qgis.boundlessgeo.com/plugins.xml?qgis=2.14 (this is for testing only, because the endpoint is known to exihibt the issue; other general, non-plugin-repo SSL endpoints may as well)
4. Reload plugin repos
5. Confirm loading the new repo URL generates an SSL Error dialog indicating a missing root CA. Because boundlessgeo.com's SSL certificate is signed by "AddTrust External CA Root" the error should be produced. (Do not ignore or save an override configuration for this error, but abort the error to avoid the connection from being cached)
6. Open a Web browser based upon native APIs for interacting with the Win keystore, e.g. Chrome , Edge or Internet Explorer (not Firefox, since it has its own internal keystore)
7. Go to the link https://qgis.boundlessgeo.com/plugins.xml?qgis=2.14 (automatically the Windows OS should install the "AddTrust External CA Root" certificate, in the background, since it is from Comodo, a partner of the Trusted Root Certificate program hosted by Microsoft: http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants-v-2016-april.aspx )
8. Refresh the certificate manager list of CAs to verify that "AddTrust External CA Root" has been added automatically (see screen shot attachment for Win 10)
9. WITHOUT closing QGIS, repeat reloading of the plugin repos
10. Confirm the same SSL error, and clicking on button "Connection trusted CAs" does not list the "AddTrust External CA Root" cert. Qt is not synched with current status/changes of the Win OS keystore. (NOTE: this is currently expected behavior, as the trusted root CA is not continuously updated by QgsAuthManager, though it should be updated in this circumstance)
11. Relaunch QGIS
12. Verify the plugin repo connection now produces no SSL error, as the Win OS CA trusted root list has be synchronized and cached on QGIS startup and the "AddTrust External CA Root" cert is now available.

This shows the following issues that need addressed:

• QgsAuthManager needs to update its cache whenever the Win OS keystore's trusted root CAs change (Qt may already do this, but QgsAuthManager only caches the keystore query of the root CAs on QGIS startup, or when one is added via the GUI in QGIS's Certificate Manager)
• Connecting to an endpoint in QGIS/Qt that should trigger the Win OS to auto-import the needed CA does not. This would happen if using a normal Web browser built upon Win Crypto API calls.

Proposed solutions:

• For QgsAuthManager, do quick comparison of Qt-provided root CAs against those that are cached, inside of QgsNetworkAccessManager. Update QgsAuthManager's cache as needed.
• When SSL error dialog is presented on Windows, and the error(s) contains "missing root CA", add a notification in the dialog that simply explains the issue and offers the user a link or button to open the same URL in the default browser, which would possibly auto-import the root CA (but not if the browser is Firefox). This may be an easier fix than trying to programmatically call the Win Crypto API to possibly auto-update the missing root CA and reattempt the connection.

---

• qgis-trusted-cas-cached.png (Larry Shaffer)

[qgib]

Author Name: Giovanni Manghi (@gioman)

---

• subject was changed from QGIS/QT Does not update list of Trusted CAs => need qgi srestart to QGIS/QT Does not update list of Trusted CAs => need QGIS srestart

[qgib]

Author Name: Giovanni Manghi (@gioman)

---

• subject was changed from QGIS/QT Does not update list of Trusted CAs => need QGIS srestart to QGIS/QT Does not update list of Trusted CAs => need QGIS restart

[qgib]

Author Name: Jürgen Fischer (@jef-n)

---

• project_id was changed from 18 to 17

[qgib]

Author Name: Giovanni Manghi (@gioman)

---

• assigned_to_id was configured as Larry Shaffer

[qgib]

Author Name: Larry Shaffer (Larry Shaffer)

---

• fixed_version_id was configured as Version 2.18
• category_id was configured as Authentication system

[qgib]

Author Name: Larry Shaffer (Larry Shaffer)

---

• subject was changed from QGIS/QT Does not update list of Trusted CAs => need QGIS restart to QGIS/Qt does not trigger auto-import of Windows root Certificate Authorities

[qgib]

Author Name: Larry Shaffer (Larry Shaffer)

---

• 10412 was configured as qgis-trusted-cas-cached.png

---

• qgis-trusted-cas-cached.png (Larry Shaffer)

[qgib]

Author Name: Larry Shaffer (Larry Shaffer)

---

Regarding the qgis-trusted-cas-cached.png attachment. The left part of the image shows the default trusted root CAs for a fresh install of Windows 10, plus the "AddTrust External CA Root" certificate that was added automatically by the Win OS via its hosted Trusted Root Certificate program.

[qgib]

Author Name: Luigi Pirelli (@luipir)

---

during dev I found a possible bug reported in #23610

[qgib]

Author Name: Luigi Pirelli (@luipir)

---

I didn't find any solution to #23610 => the only way to reload ssl CA cache without waiting some minutes for the update is to re-start qgis!

[qgib]

Author Name: Luigi Pirelli (@luipir)

---

I'll prepare a PR from the following branch:

https://github.com/boundlessgeo/qgis/tree/CAs_import_via_keystore

the fix is applicable only on Windows. No CA problems found on linux and mac.

[qgib]

Author Name: Luigi Pirelli (@luipir)

---

just waiting to have a UX review before to create the PR

[qgib]

Author Name: Luigi Pirelli (@luipir)

---

a screencast to show hos the interface works https://youtu.be/pN30XE7r7_k

[qgib]

Author Name: Luigi Pirelli (@luipir)

---

created two PR

for 2.14: https://github.com/qgis/QGIS/pull/3640 for 2.18: https://github.com/qgis/QGIS/pull/3671

[qgib]

Author Name: Luigi Pirelli (@luipir)

---

fix only for 2.14 and release-2_18 because probably the issue is not present in qgis3 due the different ssl infrastructure offered by qt5

[qgib]

Author Name: Giovanni Manghi (@gioman)

---

• easy_fix was configured as 0