search

qgis / QGIS

QGIS is a free, open source, cross platform (lin/win/mac) geographical information system (GIS)
https://qgis.org
GNU General Public License v2.0
10.67k stars 3.02k forks source link

QGIS does not use on-demand certificate loading (even when no custom certificates are present) #51722

Open komima opened 1 year ago

komima commented 1 year ago

What is the bug or the crash?

Due to the custom certificate mangement inside QGIS, network requests cannot use on-demand root cert loading. This causes issues (at least) on fresh Windows installs, where there is initially only a few certs installed and everything else is installed on demand, if the site uses a known-trusted but non-installed root cert.

It seems network requests always set the certs on the QSslConfiguration by using the QGIS store (which returns also the system certs) and merging those with the ones in Qt QNetworkRequest defaultSslConfiguration (only system certs?). This will set the on-demand loading to false.

Could there be a way to first take a difference of the QGIS cert store and the default certs, and only if there is something different then add the remaining certs? This could allow work as intented, i.e. no customized bundle -> by default allow on-demand loading.

Steps to reproduce the issue

Versions

QGIS 3.22.15 on Windows 10

Supported QGIS version

New profile

Additional context

Qt seems to have implemented on-demand loading before version 5, and the explanation for the behaviour is described like this: 

If the system CA certs are not in use (a CA bundle has been set
on the socket or as the global configuration), then this is skipped.
This is so an application can continue to use its own cert bundle
rather than trusting the system certs.
komima commented 1 year ago

Still occuring on QGIS 3.28.4 on Windows 10