Hi Larry, Thank you for your reply!
It is actually a chain with an intermediate CA. So maybe I just hit the issue you also discovered? It is about this URL/certificate: https://services.geo.zg.ch/ Root CA: SwissSign Silver G2 Root CA Intermediate CA: Swiss Sign Silver CA 2014 - G22 SSL Certificate: services.geo.zg.ch So I will try do have a look at the workaround or fall back to http only - because I can control both servers. Thanks, Andreas On 2017-01-27 21:49, Larry Shaffer wrote: > Hi Andreas, > > On Fri, Jan 27, 2017 at 8:48 AM, Neumann, Andreas <a.neum...@carto.net> wrote: > >> Some more information on my server: >> >> Linux CentOS7 >> >> qt 4.8.5 >> >> The server only allows tls connections, no SSLv2/3 or such vulnerable stuff. >> Perhaps qt is too old to properly support tls ciphers? >> >> Can I add an SSL "do not check exception" for specific connections of QGIS >> server? >> >> If yes - how would I configure that for QGIS server? > > Qt 4.8 can definitely use TLS, and can be configured (in a SSL Server > configuration) to connect to the WMS endpoint how you feel is appropriate, > including ignoring specific SSL errors. This assumes you are cascading by > configuring a QGIS project with a WMS layer and then, in turn, serving again > via WMS through QGIS Server. If so, you should be able to use the > authentication system to solve the connection issues. However, you will need > to have the authentication database available to QGIS Server as well, via env > variable, because the SSL Server configurations are stored in it. > > Recently (last week), I noticed a possible bug in the auth system whereby the > SSL endpoint connected to will throw an SSL error when the endpoint has > intermediate certificates that are not stored in QGIS's Authorities tab. > Usually, validation would not check for trust of intermediates, only whether > a given cert in the chain is valid for the particular use and the eventual > trustworthiness of its root Certificate Authority. Essentially, any > intermediates need to be trusted as roots CAs until this is fixed. > > In this case, for a workaround, you will need to either add the intermediate > certificates to OpenSSL's referenced trusted roots file/directory, or add > them to your Authorities tab in QGIS (which adds them to the authentication > database as trusted, by default) then ensure the auth database can be used by > QGIS Server for the project. > > I would need to know more about your particular SSL setup to give any further > suggestions here. Unfortunately, "SSL handshake failed" is a too vague, and I > am only guessing at the problem above. > > Regards, > > Larry Shaffer > Dakota Cartography > Black Hills, South Dakota > > Thanks for any hints, > > Andreas > > On 2017-01-27 16:31, Neumann, Andreas wrote: > > Hi, > > I want to use a cascading WMS in QGIS server. I know it is not ideal, > perfomance wise, but it would be only for printing. > > Problem is that the WMS uses https and QGIS server can't connect. The QGIS > server log shows a connect error: > > Download of capabilities failed: SSL handshake failed > > curl or wget on the same server works fine with the same ssl connection. > > Anyone knows how I can overcome this SSL handshake issue? Do I need to set up > a separate certificat chain for QGIS server? I hope not ... > > Thanks for any hints, > > Andreas > > _______________________________________________ > Qgis-developer mailing list > Qgis-developer@lists.osgeo.org > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer [1] > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer [1] > > _______________________________________________ > Qgis-developer mailing list > Qgis-developer@lists.osgeo.org > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer [1] > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer [1] Links: ------ [1] https://lists.osgeo.org/mailman/listinfo/qgis-developer
_______________________________________________ Qgis-developer mailing list Qgis-developer@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
