From 7a2fdf3fd60a63c1a67986d9f83b321ea3758b9d Mon Sep 17 00:00:00 2001 From: Dominik Riebeling Date: Sat, 19 Mar 2022 16:54:27 +0100 Subject: rbutil: Handle SSL certificate errors on first request. Qt uses the systems certificate store. On old(er) systems the root certificate might not be present, so checking the certificate from the rockbox.org server might fail. On startup we try to download the build-info file. If this fails with a certificate error allow the user to temporarily accept the rockbox.org certificate for all successive requests. Change-Id: I459e12d53286aaedea4db659d90a5e057c56801f --- utils/rbutilqt/base/httpget.cpp | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'utils/rbutilqt/base/httpget.cpp') diff --git a/utils/rbutilqt/base/httpget.cpp b/utils/rbutilqt/base/httpget.cpp index fb74514e73..0cd9236209 100644 --- a/utils/rbutilqt/base/httpget.cpp +++ b/utils/rbutilqt/base/httpget.cpp @@ -20,6 +20,7 @@ #include #include +#include #include "httpget.h" #include "Logger.h" @@ -27,6 +28,7 @@ QString HttpGet::m_globalUserAgent; //< globally set user agent for requests QDir HttpGet::m_globalCache; //< global cach path value for new objects QNetworkProxy HttpGet::m_globalProxy; +QList HttpGet::m_acceptedClientCerts; HttpGet::HttpGet(QObject *parent) : QObject(parent), @@ -211,9 +213,30 @@ void HttpGet::startRequest(QUrl url) connect(m_reply, &QNetworkReply::errorOccurred, this, &HttpGet::networkError); #endif connect(m_reply, &QNetworkReply::downloadProgress, this, &HttpGet::downloadProgress); + connect(m_reply, &QNetworkReply::sslErrors, this, &HttpGet::gotSslError); } +void HttpGet::gotSslError(const QList &errors) +{ + LOG_WARNING() << "Got SSL error" << errors; + + // if this is a cert error, and only if we already accepted a remote cert + // ignore the error. + // This will make QNAM continue the request and finish it. + if (errors.size() == 1 + && errors.at(0).error() == QSslError::UnableToGetLocalIssuerCertificate + && m_acceptedClientCerts.contains(m_reply->sslConfiguration().peerCertificate())) { + LOG_INFO() << "client cert temporarily trusted by user."; + m_reply->ignoreSslErrors(); + } + else { + LOG_ERROR() << m_reply->sslConfiguration().peerCertificate().toText(); + emit sslError(errors.at(0), m_reply->sslConfiguration().peerCertificate()); + } + +} + void HttpGet::networkError(QNetworkReply::NetworkError error) { LOG_ERROR() << "NetworkError occured:" << error << m_reply->errorString(); -- cgit v1.2.3