Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Saving/Ignoring SSL Errors broken? #59402

Open
2 tasks done
rduivenvoorde opened this issue Nov 11, 2024 · 7 comments · May be fixed by #59437
Open
2 tasks done

Saving/Ignoring SSL Errors broken? #59402

rduivenvoorde opened this issue Nov 11, 2024 · 7 comments · May be fixed by #59437
Assignees
@elpaso
Labels
Authentication Related to the QGIS Authentication subsystem or user/password handling Bug Either a bug report, or a bug fix. Let's hope for the latter! Regression Something which used to work, but doesn't anymore

Comments

@rduivenvoorde
Copy link
Contributor

What is the bug or the crash?

One of our internal plugin repo's has a 'complicated' certificate chain.
Which always gave the SSL Error dialog when a user used QGIS for the first time.
BUT: saving/ignoring this error, 'fixed' this and all was 'fine'.

But recently (with me) it seems that even clicking the 'Save & Ignore' button, does NOT silence QGIS about this issue.

On every start of QGIS, I have to deal with the window (clicking one of the 3 buttons)...

Screenshot From 2024-11-11 08-37-16

Others have this issue recently?

Steps to reproduce the issue

Sorry, it is an internal cert/host, so I can not share this.
But I hope it is also broken for other types of SSL errors which are easier to reproduce.

I reproduced in a fresh profile, only providing the url as a second plugin repo url, and it behaves exactly the same.

Running a self compiled debug version I copied these (relevant?) lines:

src/gui/auth/qgsauthsslerrorsdialog.cpp:113 : (loadUnloadCertificate) [3107ms] Loading certificate for host:port = foo.faa.nl:443
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:75 : (authDatabaseConnection) [0ms] No existing connection, creating a new one
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:837 : (sslCertCustomConfigExists) [0ms] SSL cert custom config exists for host:port, id: foo.faa.nl:443, 763eff51eedfbb599ae8fe5340b6d2e9269ca30f
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection


src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [13957ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:837 : (sslCertCustomConfigExists) [0ms] SSL cert custom config exists for host:port, id: foo.faa.nl:443, 763eff51eedfbb599ae8fe5340b6d2e9269ca30f
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:837 : (sslCertCustomConfigExists) [0ms] SSL cert custom config exists for host:port, id: foo.faa.nl:443, 763eff51eedfbb599ae8fe5340b6d2e9269ca30f
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [10ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:72 : (authDatabaseConnection) [0ms] Using auth db connection name: authentication.configs:0x000055a4734a8b10 
src/core/auth/qgsauthconfigurationstoragedb.cpp:126 : (authDatabaseConnection) [0ms] Reusing existing connection
src/core/auth/qgsauthconfigurationstoragedb.cpp:641 : (storeSslCertCustomConfig) [1ms] Store SSL cert custom config SUCCESS for host:port, id: foo.faa.nl:443, 763eff51eedfbb599ae8fe5340b6d2e9269ca30f
src/core/auth/qgsauthmanager.cpp:2365 : (updateIgnoredSslErrorsCacheFromConfig) [0ms] Update of ignored SSL errors cache SUCCEEDED for sha:host:port = 763eff51eedfbb599ae8fe5340b6d2e9269ca30f:foo.faa.nl:443
src/core/auth/qgsauthmanager.cpp:2324 : (dumpIgnoredSslErrorsCache_) [0ms] Ignored SSL errors cache items:
src/core/auth/qgsauthmanager.cpp:2333 : (dumpIgnoredSslErrorsCache_) [0ms] 763eff51eedfbb599ae8fe5340b6d2e9269ca30f:foo.faa.nl:443 = Unable to Verify First Certificate, Unable to Get Local Issuer Certificate
src/core/auth/qgsauthmanager.cpp:2333 : (dumpIgnoredSslErrorsCache_) [0ms] foo.faa.nl:443 = Unable to Verify First Certificate, Unable to Get Local Issuer Certificate
src/app/qgsappsslerrorhandler.cpp:73 : (handleSslErrors) [3ms] All SSL errors ignored for foo.faa.nl:443
src/core/network/qgsnetworkaccessmanager.cpp:492 : (restartTimeout) [0ms] [thread:0x55a477f17b20] Restarting network reply timeout
src/core/network/qgsblockingnetworkrequest.cpp:297 : (replyProgress) [144ms] [thread:0x55a477f17b20] 1513 of 1513 bytes downloaded.
src/core/network/qgsblockingnetworkrequest.cpp:297 : (replyProgress) [342ms] [thread:0x55a477f17b20] 1513 of 1513 bytes downloaded.
src/core/network/qgsblockingnetworkrequest.cpp:328 : (replyFinished) [0ms] [thread:0x55a477f17b20] reply OK
src/core/network/qgsblockingnetworkrequest.cpp:416 : (replyFinished) [0ms] [thread:0x55a477f17b20] expirationDate:
src/core/network/qgsblockingnetworkrequest.cpp:431 : (replyFinished) [0ms] [thread:0x55a477f17b20] Reply was cached: 0

Versions

Tested both with master and 3.40 builds

Supported QGIS version

  • I'm running a supported QGIS version according to the roadmap.

New profile

Additional context

No response
@rduivenvoorde rduivenvoorde added Authentication Related to the QGIS Authentication subsystem or user/password handling Bug Either a bug report, or a bug fix. Let's hope for the latter! labels Nov 11, 2024
@elpaso
Copy link
Contributor

elpaso commented Nov 11, 2024

Hi @rduivenvoorde I've done a refactoring of the auth system recently, can you please check if the issue was introduced with 3.40 or if it was already there before that version?

@rduivenvoorde
Copy link
Contributor Author

@elpaso I'm pretty sure that this worked earlier, but I'll try to confirm using a fresh 3.38 build

@elpaso
Copy link
Contributor

elpaso commented Nov 11, 2024

@elpaso I'm pretty sure that this worked earlier, but I'll try to confirm using a fresh 3.38 build

Please assign this to me if it is a confirmed regression.

@rduivenvoorde
Copy link
Contributor Author

I'm trying to reproduce this on a site of which I know the cert is wrong.

At least with my internal host error I can confirm that once 'saved' as an exception, it will not show up anymore in 3.38
So to me it looks like that newer QGIS version do not read these 'exceptions'-list or so??

Using https://pc6.nl/plugins/plugins.xml as repo url, I'm not able to save the error you get as an exception in >0 3.40 versions. QGIS will always complain about the cert.

I'm not sure anymore if that is the intented behaviour.
But at least in older versions I'm pretty sure, that after clicking that dialog once, it was saved, somewhere in your profile, and you will not see that dialog for the ssl error for that host anymore.

It's harder to confirm with the host above, because after saving the error, now the another error shows:
image
which, I think, has something todo with other ssl issues...

@elpaso
Copy link
Contributor

elpaso commented Nov 12, 2024

I'm trying to reproduce this on a site of which I know the cert is wrong.

At least with my internal host error I can confirm that once 'saved' as an exception, it will not show up anymore in 3.38 So to me it looks like that newer QGIS version do not read these 'exceptions'-list or so??

Using https://pc6.nl/plugins/plugins.xml as repo url, I'm not able to save the error you get as an exception in >0 3.40 versions. QGIS will always complain about the cert.

https://pc6.nl/plugins/plugins.xml seems down to me.

@elpaso
Copy link
Contributor

elpaso commented Nov 12, 2024

@rduivenvoorde I can reproduce the issue, please the test server up if you can.

@rduivenvoorde
Copy link
Contributor Author

If you mean https://pc6.nl/plugins/plugins.xml, that should always be up, if not ping me

@elpaso elpaso added the Regression Something which used to work, but doesn't anymore label Nov 13, 2024
elpaso added a commit to elpaso/QGIS that referenced this issue Nov 13, 2024
@elpaso
Fix auth SSL errors cache
cff98a3 
Fix qgis#59402
@elpaso elpaso linked a pull request Nov 13, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@elpaso elpaso

Labels
Authentication Related to the QGIS Authentication subsystem or user/password handling Bug Either a bug report, or a bug fix. Let's hope for the latter! Regression Something which used to work, but doesn't anymore
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix auth SSL errors cache elpaso/QGIS
2 participants
@elpaso @rduivenvoorde