Discussion:
[Qgis-user] WMS via https - "SSL handshake failed"
John Cartwright
2016-12-29 21:38:38 UTC
Permalink
Hello All,

I’m trying to use a WMS service over https and get the following error when trying to connect:

Failed to download capabilities:
Download of capabilities failed: SSL handshake failed

The URL works fine in a browser though. I’m guessing that QGIS and the server are not able to agree on a cipher suite. Can anyone tell me what ciphers QGIS supports or any way to get more insight into the underlying problem?

QGIS is version 2.18.2.

Thanks!

—john
Luigi Pirelli
2017-01-02 08:52:39 UTC
Permalink
Hi John

SSL is managed storing credentials using the QGIS Authentication
Manager that store credentials in the same way as Firefox, in a master
pwd crypted store in your $home/.qgis2/qgis-auth.db.
You should managed credentials using Settings->options->authentication.

QGIS uses OpenSSL => and specifically can import different king of
credential method (using plugins => can be expanded). De default auth
method installed are listed in the documentation:
https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/auth_overview.html

what is you auth method? can you explain the workflow you followed to
store and use your credentials?

regards
Luigi Pirelli

**************************************************************************************************
* Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
* Mastering QGIS 2nd Edition:
* https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
**************************************************************************************************


On 29 December 2016 at 22:38, John Cartwright
Post by John Cartwright
Hello All,
Download of capabilities failed: SSL handshake failed
The URL works fine in a browser though. I’m guessing that QGIS and the server are not able to agree on a cipher suite. Can anyone tell me what ciphers QGIS supports or any way to get more insight into the underlying problem?
QGIS is version 2.18.2.
Thanks!
—john
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
John Cartwright
2017-01-03 17:42:03 UTC
Permalink
Thanks for your reply Luigi! To be clear, the WMS service that I’m trying to connect to does not require a username/password but is only available via https. The server (https://maps.ngdc.noaa.gov <https://maps.ngdc.noaa.gov/>) has a valid CA certificate. I tried adding a SSL Server Configuration (preferences -> authentication -> Manage Certificates -> Server) and while the entry appears to be valid, I still get the SSL Handshake error when trying add a WMS layer.

Any further ideas? Here’s the actual URL I’m trying to add:

https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade/MapServer/WMSServer?request=GetCapabilities&service=WMS <https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade/MapServer/WMSServer?request=GetCapabilities&service=WMS>

Thanks again for your help!

—john
Post by Luigi Pirelli
Hi John
SSL is managed storing credentials using the QGIS Authentication
Manager that store credentials in the same way as Firefox, in a master
pwd crypted store in your $home/.qgis2/qgis-auth.db.
You should managed credentials using Settings->options->authentication.
QGIS uses OpenSSL => and specifically can import different king of
credential method (using plugins => can be expanded). De default auth
https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/auth_overview.html
what is you auth method? can you explain the workflow you followed to
store and use your credentials?
regards
Luigi Pirelli
**************************************************************************************************
* Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
* https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
**************************************************************************************************
On 29 December 2016 at 22:38, John Cartwright
Post by John Cartwright
Hello All,
Download of capabilities failed: SSL handshake failed
The URL works fine in a browser though. I’m guessing that QGIS and the server are not able to agree on a cipher suite. Can anyone tell me what ciphers QGIS supports or any way to get more insight into the underlying problem?
QGIS is version 2.18.2.
Thanks!
—john
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
Luigi Pirelli
2017-01-03 22:11:50 UTC
Permalink
Hi John

as far as I understand, you only added server CA in qgis auth
configuration, and it's not enough to be authenticated by a fully SSL
featured server, you need a client certificate identity that could be
authorized by the server. Some identity that the server can trust. You
have to add an identity certificate as in the guide:
https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/auth_overview.html#authentication-methods.

You only added a server CA that is useful in case you need to have a
client side certification of the server to avoid Man-In-the-Middle
attacks.

BTW, with your server you don't need to be authenticated as you can
see in the attached link. Just add a WMS service!

Loading Image...

Luigi Pirelli

**************************************************************************************************
* Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
* Mastering QGIS 2nd Edition:
* https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
**************************************************************************************************


On 3 January 2017 at 18:42, John Cartwright
Thanks for your reply Luigi! To be clear, the WMS service that I’m trying
to connect to does not require a username/password but is only available via
https. The server (https://maps.ngdc.noaa.gov) has a valid CA certificate.
I tried adding a SSL Server Configuration (preferences -> authentication ->
Manage Certificates -> Server) and while the entry appears to be valid, I
still get the SSL Handshake error when trying add a WMS layer.
https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade/MapServer/WMSServer?request=GetCapabilities&service=WMS
Thanks again for your help!
—john
Hi John
SSL is managed storing credentials using the QGIS Authentication
Manager that store credentials in the same way as Firefox, in a master
pwd crypted store in your $home/.qgis2/qgis-auth.db.
You should managed credentials using Settings->options->authentication.
QGIS uses OpenSSL => and specifically can import different king of
credential method (using plugins => can be expanded). De default auth
https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/auth_overview.html
what is you auth method? can you explain the workflow you followed to
store and use your credentials?
regards
Luigi Pirelli
**************************************************************************************************
* Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
*
https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
**************************************************************************************************
On 29 December 2016 at 22:38, John Cartwright
Hello All,
I’m trying to use a WMS service over https and get the following error when
Download of capabilities failed: SSL handshake failed
The URL works fine in a browser though. I’m guessing that QGIS and the
server are not able to agree on a cipher suite. Can anyone tell me what
ciphers QGIS supports or any way to get more insight into the underlying
problem?
QGIS is version 2.18.2.
Thanks!
—john
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
Jorge Gustavo Rocha
2017-01-03 23:57:58 UTC
Permalink
Hi John,

I've added your WMS service and it works without any problem. I've just
added the url and the connect works. The capabilities are displayed.

You can check the print screen [1] with your https WMS layer.

I'm using QGIS 2.18.2 on Ubuntu. Which OS are you using?

Regards,

Jorge Gustavo

[1] Loading Image...
Thanks for your reply Luigi! To be clear, the WMS service that I’m
trying to connect to does not require a username/password but is only
available via https. The server (https://maps.ngdc.noaa.gov) has a
valid CA certificate. I tried adding a SSL Server Configuration
(preferences -> authentication -> Manage Certificates -> Server) and
while the entry appears to be valid, I still get the SSL Handshake error
when trying add a WMS layer.
https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade/MapServer/WMSServer?request=GetCapabilities&service=WMS
Thanks again for your help!
—john
Post by Luigi Pirelli
Hi John
SSL is managed storing credentials using the QGIS Authentication
Manager that store credentials in the same way as Firefox, in a master
pwd crypted store in your $home/.qgis2/qgis-auth.db.
You should managed credentials using Settings->options->authentication.
QGIS uses OpenSSL => and specifically can import different king of
credential method (using plugins => can be expanded). De default auth
https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/auth_overview.html
what is you auth method? can you explain the workflow you followed to
store and use your credentials?
regards
Luigi Pirelli
**************************************************************************************************
* Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
*
https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
**************************************************************************************************
On 29 December 2016 at 22:38, John Cartwright
Post by John Cartwright
Hello All,
I’m trying to use a WMS service over https and get the following
Download of capabilities failed: SSL handshake failed
The URL works fine in a browser though. I’m guessing that QGIS and
the server are not able to agree on a cipher suite. Can anyone tell
me what ciphers QGIS supports or any way to get more insight into the
underlying problem?
QGIS is version 2.18.2.
Thanks!
—john
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
J. Gustavo
--
Jorge Gustavo Rocha
Departamento de Informática
Universidade do Minho
4710-057 Braga
Tel: +351 253604480
Fax: +351 253604471
Móvel: +351 910333888
skype: nabocudnosor
Pasquale Di Donato
2017-01-04 08:59:42 UTC
Permalink
Hi John,

I can access your service too. Using QGIS 2.14.8.
Maybe you have an issue with a proxy?

Pasquale
Post by Jorge Gustavo Rocha
Hi John,
I've added your WMS service and it works without any problem. I've just
added the url and the connect works. The capabilities are displayed.
You can check the print screen [1] with your https WMS layer.
I'm using QGIS 2.18.2 on Ubuntu. Which OS are you using?
Regards,
Jorge Gustavo
[1] http://webgis.di.uminho.pt/~jgr/wms%20with%20https.png
Post by John Cartwright
Thanks for your reply Luigi! To be clear, the WMS service that I’m
trying to connect to does not require a username/password but is only
available via https. The server (https://maps.ngdc.noaa.gov) has a
valid CA certificate. I tried adding a SSL Server Configuration
(preferences -> authentication -> Manage Certificates -> Server) and
while the entry appears to be valid, I still get the SSL Handshake error
when trying add a WMS layer.
https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade
/MapServer/WMSServer?request=GetCapabilities&service=WMS
Thanks again for your help!
—john
Post by Luigi Pirelli
Hi John
SSL is managed storing credentials using the QGIS Authentication
Manager that store credentials in the same way as Firefox, in a master
pwd crypted store in your $home/.qgis2/qgis-auth.db.
You should managed credentials using Settings->options->authentication.
QGIS uses OpenSSL => and specifically can import different king of
credential method (using plugins => can be expanded). De default auth
https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/a
uth_overview.html
what is you auth method? can you explain the workflow you followed to
store and use your credentials?
regards
Luigi Pirelli
************************************************************
**************************************
* Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
*
https://www.packtpub.com/big-data-and-business-intelligence/
mastering-qgis-second-edition
************************************************************
**************************************
On 29 December 2016 at 22:38, John Cartwright
Post by John Cartwright
Hello All,
I’m trying to use a WMS service over https and get the following
Download of capabilities failed: SSL handshake failed
The URL works fine in a browser though. I’m guessing that QGIS and
the server are not able to agree on a cipher suite. Can anyone tell
me what ciphers QGIS supports or any way to get more insight into the
underlying problem?
QGIS is version 2.18.2.
Thanks!
—john
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
J. Gustavo
--
Jorge Gustavo Rocha
Departamento de Informática
Universidade do Minho
4710-057 Braga
Tel: +351 253604480
Fax: +351 253604471
Móvel: +351 910333888
skype: nabocudnosor
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
John Cartwright
2017-01-05 18:23:34 UTC
Permalink
Thanks. I used wireshark to trace the session and it appears that QGIS is attempting to make the connection with TLSv1 which I think is at least part of the problem.

Can either of you tell me what protocol and cipher suites you’re using? what OS you’re running on? Is there anyway to force QGIS to use a different protocol?

Thanks!

—john
Post by Jorge Gustavo Rocha
Hi John,
I can access your service too. Using QGIS 2.14.8.
Maybe you have an issue with a proxy?
Pasquale
Hi John,
I've added your WMS service and it works without any problem. I've just added the url and the connect works. The capabilities are displayed.
You can check the print screen [1] with your https WMS layer.
I'm using QGIS 2.18.2 on Ubuntu. Which OS are you using?
Regards,
Jorge Gustavo
[1] http://webgis.di.uminho.pt/~jgr/wms%20with%20https.png <http://webgis.di.uminho.pt/~jgr/wms%20with%20https.png>
Thanks for your reply Luigi! To be clear, the WMS service that I’m
trying to connect to does not require a username/password but is only
available via https. The server (https://maps.ngdc.noaa.gov <https://maps.ngdc.noaa.gov/>) has a
valid CA certificate. I tried adding a SSL Server Configuration
(preferences -> authentication -> Manage Certificates -> Server) and
while the entry appears to be valid, I still get the SSL Handshake error
when trying add a WMS layer.
https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade/MapServer/WMSServer?request=GetCapabilities&service=WMS <https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade/MapServer/WMSServer?request=GetCapabilities&service=WMS>
Thanks again for your help!
—john
Hi John
SSL is managed storing credentials using the QGIS Authentication
Manager that store credentials in the same way as Firefox, in a master
pwd crypted store in your $home/.qgis2/qgis-auth.db.
You should managed credentials using Settings->options->authentication.
QGIS uses OpenSSL => and specifically can import different king of
credential method (using plugins => can be expanded). De default auth
https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/auth_overview.html <https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/auth_overview.html>
what is you auth method? can you explain the workflow you followed to
store and use your credentials?
regards
Luigi Pirelli
**************************************************************************************************
* Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli <https://www.linkedin.com/in/luigipirelli>
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli <http://gis.stackexchange.com/users/19667/luigi-pirelli>
* GitHub: https://github.com/luipir <https://github.com/luipir>
*
https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition <https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition>
**************************************************************************************************
On 29 December 2016 at 22:38, John Cartwright
Hello All,
I’m trying to use a WMS service over https and get the following
Download of capabilities failed: SSL handshake failed
The URL works fine in a browser though. I’m guessing that QGIS and
the server are not able to agree on a cipher suite. Can anyone tell
me what ciphers QGIS supports or any way to get more insight into the
underlying problem?
QGIS is version 2.18.2.
Thanks!
—john
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user <http://lists.osgeo.org/mailman/listinfo/qgis-user>
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user <http://lists.osgeo.org/mailman/listinfo/qgis-user>
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user <http://lists.osgeo.org/mailman/listinfo/qgis-user>
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user <http://lists.osgeo.org/mailman/listinfo/qgis-user>
J. Gustavo
--
Jorge Gustavo Rocha
Departamento de Informática
Universidade do Minho
4710-057 Braga
Tel: +351 253604480 <tel:%2B351%20253604480>
Fax: +351 253604471 <tel:%2B351%20253604471>
Móvel: +351 910333888 <tel:%2B351%20910333888>
skype: nabocudnosor
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user <http://lists.osgeo.org/mailman/listinfo/qgis-user>
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user <http://lists.osgeo.org/mailman/listinfo/qgis-user>
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
Larry Shaffer
2017-01-05 19:06:48 UTC
Permalink
Hi John,

On Thu, Jan 5, 2017 at 11:23 AM, John Cartwright <
Post by John Cartwright
Thanks. I used wireshark to trace the session and it appears that QGIS is
attempting to make the connection with TLSv1 which I think is at least part
of the problem.
Can either of you tell me what protocol and cipher suites you’re using?
what OS you’re running on? Is there anyway to force QGIS to use a
different protocol?
In Options -> Authentication -> Manage Certificates -> Servers, which is
where SSL Server configurations are listed after they are optionally
created in the SSL Error dialog. In an SSL Server configuration, you can
set the protocol, though I am unsure why you would *not* want to use TLSv1,
since the SSLv2|3 protocols have known vulnerabilities.

Loading Image...

Cipher suites are a bit harder to manage. Although one could use
QSslConfiguration::setCiphers(), this is not supported in QGIS's SSL server
configurations [0]. I believe you would need to do this via OpenSSL
configuration.

[0] http://doc.qt.io/qt-4.8/qsslconfiguration.html#setCiphers

Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
Post by John Cartwright
Thanks!
—john
On Jan 4, 2017, at 1:59 AM, Pasquale Di Donato <
Hi John,
I can access your service too. Using QGIS 2.14.8.
Maybe you have an issue with a proxy?
Pasquale
Post by Jorge Gustavo Rocha
Hi John,
I've added your WMS service and it works without any problem. I've just
added the url and the connect works. The capabilities are displayed.
You can check the print screen [1] with your https WMS layer.
I'm using QGIS 2.18.2 on Ubuntu. Which OS are you using?
Regards,
Jorge Gustavo
[1] http://webgis.di.uminho.pt/~jgr/wms%20with%20https.png
Post by John Cartwright
Thanks for your reply Luigi! To be clear, the WMS service that I’m
trying to connect to does not require a username/password but is only
available via https. The server (https://maps.ngdc.noaa.gov) has a
valid CA certificate. I tried adding a SSL Server Configuration
(preferences -> authentication -> Manage Certificates -> Server) and
while the entry appears to be valid, I still get the SSL Handshake error
when trying add a WMS layer.
https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade
/MapServer/WMSServer?request=GetCapabilities&service=WMS
Thanks again for your help!
—john
Post by Luigi Pirelli
Hi John
SSL is managed storing credentials using the QGIS Authentication
Manager that store credentials in the same way as Firefox, in a master
pwd crypted store in your $home/.qgis2/qgis-auth.db.
You should managed credentials using Settings->options->authentication.
QGIS uses OpenSSL => and specifically can import different king of
credential method (using plugins => can be expanded). De default auth
https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/a
uth_overview.html
what is you auth method? can you explain the workflow you followed to
store and use your credentials?
regards
Luigi Pirelli
************************************************************
**************************************
* Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
*
https://www.packtpub.com/big-data-and-business-intelligence/
mastering-qgis-second-edition
************************************************************
**************************************
On 29 December 2016 at 22:38, John Cartwright
Post by John Cartwright
Hello All,
I’m trying to use a WMS service over https and get the following
Download of capabilities failed: SSL handshake failed
The URL works fine in a browser though. I’m guessing that QGIS and
the server are not able to agree on a cipher suite. Can anyone tell
me what ciphers QGIS supports or any way to get more insight into the
underlying problem?
QGIS is version 2.18.2.
Thanks!
—john
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
J. Gustavo
--
Jorge Gustavo Rocha
Departamento de Informática
Universidade do Minho
4710-057 Braga
Tel: +351 253604480
Fax: +351 253604471
Móvel: +351 910333888
skype: nabocudnosor
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
Jorge Gustavo Rocha
2017-01-05 23:30:36 UTC
Permalink
Hi John,

I've captured QGIS packets to/from the WMS service, after clicking
"Connect" on QGIS (to get the capabilities document).

The print screen is available at [1].

Wireshark reports the protocol as TLSv1.2.

Regards,

Jorge

[1] Loading Image...
Post by John Cartwright
Thanks. I used wireshark to trace the session and it appears that QGIS
is attempting to make the connection with TLSv1 which I think is at
least part of the problem.
Can either of you tell me what protocol and cipher suites you’re using?
what OS you’re running on? Is there anyway to force QGIS to use a
different protocol?
Thanks!
—john
Post by John Cartwright
On Jan 4, 2017, at 1:59 AM, Pasquale Di Donato
Hi John,
I can access your service too. Using QGIS 2.14.8.
Maybe you have an issue with a proxy?
Pasquale
Hi John,
I've added your WMS service and it works without any problem. I've
just added the url and the connect works. The capabilities are
displayed.
You can check the print screen [1] with your https WMS layer.
I'm using QGIS 2.18.2 on Ubuntu. Which OS are you using?
Regards,
Jorge Gustavo
[1] http://webgis.di.uminho.pt/~jgr/wms%20with%20https.png
<http://webgis.di.uminho.pt/~jgr/wms%20with%20https.png>
Thanks for your reply Luigi! To be clear, the WMS service that I’m
trying to connect to does not require a username/password but is only
available via https. The server (https://maps.ngdc.noaa.gov
<https://maps.ngdc.noaa.gov/>) has a
valid CA certificate. I tried adding a SSL Server Configuration
(preferences -> authentication -> Manage Certificates -> Server) and
while the entry appears to be valid, I still get the SSL Handshake error
when trying add a WMS layer.
https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade/MapServer/WMSServer?request=GetCapabilities&service=WMS
<https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade/MapServer/WMSServer?request=GetCapabilities&service=WMS>
Thanks again for your help!
—john
On Jan 2, 2017, at 1:52 AM, Luigi Pirelli
Hi John
SSL is managed storing credentials using the QGIS
Authentication
Manager that store credentials in the same way as Firefox,
in a master
pwd crypted store in your $home/.qgis2/qgis-auth.db.
You should managed credentials using
Settings->options->authentication.
QGIS uses OpenSSL => and specifically can import different
king of
credential method (using plugins => can be expanded). De
default auth
https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/auth_overview.html
<https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/auth_overview.html>
what is you auth method? can you explain the workflow you
followed to
store and use your credentials?
regards
Luigi Pirelli
**************************************************************************************************
* Boundless QGIS Support/Development: lpirelli AT
boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
<https://www.linkedin.com/in/luigipirelli>
http://gis.stackexchange.com/users/19667/luigi-pirelli
<http://gis.stackexchange.com/users/19667/luigi-pirelli>
* GitHub: https://github.com/luipir
*
https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
<https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition>
**************************************************************************************************
On 29 December 2016 at 22:38, John Cartwright
Hello All,
I’m trying to use a WMS service over https and get the
following
Download of capabilities failed: SSL handshake failed
The URL works fine in a browser though. I’m guessing
that QGIS and
the server are not able to agree on a cipher suite.
Can anyone tell
me what ciphers QGIS supports or any way to get more
insight into the
underlying problem?
QGIS is version 2.18.2.
Thanks!
—john
_______________________________________________
Qgis-user mailing list
http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
J. Gustavo
--
Jorge Gustavo Rocha
Departamento de Informática
Universidade do Minho
4710-057 Braga
Tel: +351 253604480 <tel:%2B351%20253604480>
Fax: +351 253604471 <tel:%2B351%20253604471>
Móvel: +351 910333888 <tel:%2B351%20910333888>
skype: nabocudnosor
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
J. Gustavo
--
Jorge Gustavo Rocha
Departamento de Informática
Universidade do Minho
4710-057 Braga
Tel: +351 253604480
Fax: +351 253604471
Móvel: +351 910333888
skype: nabocudnosor
John Cartwright
2017-01-06 00:04:42 UTC
Permalink
Thanks Jorge, that helps confirm my suspicion. Are you running on linux? Based on this ticket (https://hub.qgis.org/issues/11473 <https://hub.qgis.org/issues/11473>), it sounds like the supported protocols may be dependent on the version of Qt that QGIS is using. Do you happen to know which version you’re using?

—john
Post by Jorge Gustavo Rocha
Hi John,
I've captured QGIS packets to/from the WMS service, after clicking "Connect" on QGIS (to get the capabilities document).
The print screen is available at [1].
Wireshark reports the protocol as TLSv1.2.
Regards,
Jorge
[1] http://webgis.di.uminho.pt/~jgr/qgis-connect-https-wms-service.png
Post by John Cartwright
Thanks. I used wireshark to trace the session and it appears that QGIS
is attempting to make the connection with TLSv1 which I think is at
least part of the problem.
Can either of you tell me what protocol and cipher suites you’re using?
what OS you’re running on? Is there anyway to force QGIS to use a
different protocol?
Thanks!
—john
Post by John Cartwright
On Jan 4, 2017, at 1:59 AM, Pasquale Di Donato
Hi John,
I can access your service too. Using QGIS 2.14.8.
Maybe you have an issue with a proxy?
Pasquale
Hi John,
I've added your WMS service and it works without any problem. I've
just added the url and the connect works. The capabilities are
displayed.
You can check the print screen [1] with your https WMS layer.
I'm using QGIS 2.18.2 on Ubuntu. Which OS are you using?
Regards,
Jorge Gustavo
[1] http://webgis.di.uminho.pt/~jgr/wms%20with%20https.png
<http://webgis.di.uminho.pt/~jgr/wms%20with%20https.png>
Thanks for your reply Luigi! To be clear, the WMS service that I’m
trying to connect to does not require a username/password but is only
available via https. The server (https://maps.ngdc.noaa.gov
<https://maps.ngdc.noaa.gov/>) has a
valid CA certificate. I tried adding a SSL Server Configuration
(preferences -> authentication -> Manage Certificates -> Server) and
while the entry appears to be valid, I still get the SSL Handshake error
when trying add a WMS layer.
https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade/MapServer/WMSServer?request=GetCapabilities&service=WMS
<https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade/MapServer/WMSServer?request=GetCapabilities&service=WMS>
Thanks again for your help!
—john
On Jan 2, 2017, at 1:52 AM, Luigi Pirelli
Hi John
SSL is managed storing credentials using the QGIS
Authentication
Manager that store credentials in the same way as Firefox,
in a master
pwd crypted store in your $home/.qgis2/qgis-auth.db.
You should managed credentials using
Settings->options->authentication.
QGIS uses OpenSSL => and specifically can import different
king of
credential method (using plugins => can be expanded). De
default auth
https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/auth_overview.html
<https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/auth_overview.html>
what is you auth method? can you explain the workflow you
followed to
store and use your credentials?
regards
Luigi Pirelli
**************************************************************************************************
* Boundless QGIS Support/Development: lpirelli AT
boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
<https://www.linkedin.com/in/luigipirelli>
http://gis.stackexchange.com/users/19667/luigi-pirelli
<http://gis.stackexchange.com/users/19667/luigi-pirelli>
* GitHub: https://github.com/luipir
*
https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
<https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition>
**************************************************************************************************
On 29 December 2016 at 22:38, John Cartwright
Hello All,
I’m trying to use a WMS service over https and get the
following
Download of capabilities failed: SSL handshake failed
The URL works fine in a browser though. I’m guessing
that QGIS and
the server are not able to agree on a cipher suite.
Can anyone tell
me what ciphers QGIS supports or any way to get more
insight into the
underlying problem?
QGIS is version 2.18.2.
Thanks!
—john
_______________________________________________
Qgis-user mailing list
http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
J. Gustavo
--
Jorge Gustavo Rocha
Departamento de Informática
Universidade do Minho
4710-057 Braga
Tel: +351 253604480 <tel:%2B351%20253604480>
Fax: +351 253604471 <tel:%2B351%20253604471>
Móvel: +351 910333888 <tel:%2B351%20910333888>
skype: nabocudnosor
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
J. Gustavo
--
Jorge Gustavo Rocha
Departamento de Informática
Universidade do Minho
4710-057 Braga
Tel: +351 253604480
Fax: +351 253604471
Móvel: +351 910333888
skype: nabocudnosor
Jorge Gustavo Rocha
2017-01-06 10:13:32 UTC
Permalink
Hi John,

I was able to use the https WMS server on Ubuntu and on Windows.

=== Ubuntu 16.04.1 LTS, QGIS 64 bit:

QGIS version
2.18.2
QGIS code revision
102ee87
Compiled against Qt
4.8.7
Running against Qt
4.8.7
Compiled against GDAL/OGR
1.11.3
Running against GDAL/OGR
1.11.3
Compiled against GEOS
3.5.0-CAPI-1.9.0
Running against GEOS
3.5.0-CAPI-1.9.0 r4084
PostgreSQL Client Version
9.5.2
SpatiaLite Version
4.3.0a
QWT Version
5.2.3
PROJ.4 Version
492
QScintilla2 Version
2.9.1


=== Windows 10, QGIS 64 bit:

QGIS version
2.18.0
QGIS code revision
0332f5a
Compiled against Qt
4.8.5
Running against Qt
4.8.5
Compiled against GDAL/OGR
2.1.1
Running against GDAL/OGR
2.1.1
Compiled against GEOS
3.5.0-CAPI-1.9.0
Running against GEOS
3.5.0-CAPI-1.9.0 r4084
PostgreSQL Client Version
9.2.4
SpatiaLite Version
4.3.0
QWT Version
5.2.3
PROJ.4 Version
493
QScintilla2 Version
2.7.2

Regards,

Jorge
Post by John Cartwright
Thanks Jorge, that helps confirm my suspicion. Are you running on
linux? Based on this ticket (https://hub.qgis.org/issues/11473), it
sounds like the supported protocols may be dependent on the version of
Qt that QGIS is using. Do you happen to know which version you’re using?
—john
Post by Jorge Gustavo Rocha
Hi John,
I've captured QGIS packets to/from the WMS service, after clicking
"Connect" on QGIS (to get the capabilities document).
The print screen is available at [1].
Wireshark reports the protocol as TLSv1.2.
Regards,
Jorge
[1] http://webgis.di.uminho.pt/~jgr/qgis-connect-https-wms-service.png
Post by John Cartwright
Thanks. I used wireshark to trace the session and it appears that QGIS
is attempting to make the connection with TLSv1 which I think is at
least part of the problem.
Can either of you tell me what protocol and cipher suites you’re using?
what OS you’re running on? Is there anyway to force QGIS to use a
different protocol?
Thanks!
—john
Post by John Cartwright
On Jan 4, 2017, at 1:59 AM, Pasquale Di Donato
Hi John,
I can access your service too. Using QGIS 2.14.8.
Maybe you have an issue with a proxy?
Pasquale
On Wed, Jan 4, 2017 at 12:57 AM, Jorge Gustavo Rocha
Hi John,
I've added your WMS service and it works without any problem. I've
just added the url and the connect works. The capabilities are
displayed.
You can check the print screen [1] with your https WMS layer.
I'm using QGIS 2.18.2 on Ubuntu. Which OS are you using?
Regards,
Jorge Gustavo
[1] http://webgis.di.uminho.pt/~jgr/wms%20with%20https.png
<http://webgis.di.uminho.pt/~jgr/wms%20with%20https.png>
Thanks for your reply Luigi! To be clear, the WMS service that I’m
trying to connect to does not require a username/password but is only
available via https. The server (https://maps.ngdc.noaa.gov
<https://maps.ngdc.noaa.gov/>) has a
valid CA certificate. I tried adding a SSL Server Configuration
(preferences -> authentication -> Manage Certificates -> Server) and
while the entry appears to be valid, I still get the SSL
Handshake error
when trying add a WMS layer.
https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade/MapServer/WMSServer?request=GetCapabilities&service=WMS
<https://maps.ngdc.noaa.gov/arcgis/services/gebco08_hillshade/MapServer/WMSServer?request=GetCapabilities&service=WMS>
Thanks again for your help!
—john
On Jan 2, 2017, at 1:52 AM, Luigi Pirelli
Hi John
SSL is managed storing credentials using the QGIS
Authentication
Manager that store credentials in the same way as Firefox,
in a master
pwd crypted store in your $home/.qgis2/qgis-auth.db.
You should managed credentials using
Settings->options->authentication.
QGIS uses OpenSSL => and specifically can import different
king of
credential method (using plugins => can be expanded). De
default auth
https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/auth_overview.html
<https://docs.qgis.org/2.14/en/docs/user_manual/auth_system/auth_overview.html>
what is you auth method? can you explain the workflow you
followed to
store and use your credentials?
regards
Luigi Pirelli
**************************************************************************************************
* Boundless QGIS Support/Development: lpirelli AT
boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
<https://www.linkedin.com/in/luigipirelli>
http://gis.stackexchange.com/users/19667/luigi-pirelli
<http://gis.stackexchange.com/users/19667/luigi-pirelli>
* GitHub: https://github.com/luipir
*
https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
<https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition>
**************************************************************************************************
On 29 December 2016 at 22:38, John Cartwright
Hello All,
I’m trying to use a WMS service over https and get the
following
Download of capabilities failed: SSL handshake failed
The URL works fine in a browser though. I’m guessing
that QGIS and
the server are not able to agree on a cipher suite.
Can anyone tell
me what ciphers QGIS supports or any way to get more
insight into the
underlying problem?
QGIS is version 2.18.2.
Thanks!
—john
_______________________________________________
Qgis-user mailing list
http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
J. Gustavo
--
Jorge Gustavo Rocha
Departamento de Informática
Universidade do Minho
4710-057 Braga
Tel: +351 253604480 <tel:%2B351%20253604480>
Fax: +351 253604471 <tel:%2B351%20253604471>
Móvel: +351 910333888 <tel:%2B351%20910333888>
skype: nabocudnosor
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
<http://lists.osgeo.org/mailman/listinfo/qgis-user>
_______________________________________________
Qgis-user mailing list
List info: http://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-user
J. Gustavo
--
Jorge Gustavo Rocha
Departamento de Informática
Universidade do Minho
4710-057 Braga
Tel: +351 253604480
Fax: +351 253604471
Móvel: +351 910333888
skype: nabocudnosor
J. Gustavo
--
Jorge Gustavo Rocha
Departamento de Informática
Universidade do Minho
4710-057 Braga
Tel: +351 253604480
Fax: +351 253604471
Móvel: +351 910333888
skype: nabocudnosor
Loading...