QGCFileDownload: handle OpenSSL build time vs runtime version mismatch

src/QGCFileDownload.cc

@@ -60,6 +60,8 @@ bool QGCFileDownload::download(const QString& remoteFile, const QVector<QPair<QN
         return false;
     }
 
+    setIgnoreSSLErrorsIfNeeded(*networkReply);
+
     connect(networkReply, &QNetworkReply::downloadProgress, this, &QGCFileDownload::downloadProgress);
     connect(networkReply, &QNetworkReply::finished, this, &QGCFileDownload::_downloadFinished);
     connect(networkReply, &QNetworkReply::errorOccurred, this, &QGCFileDownload::_downloadError);
@@ -148,3 +150,19 @@ void QGCFileDownload::_downloadError(QNetworkReply::NetworkError code)
 
     emit downloadComplete(_originalRemoteFile, QString(), errorMsg);
 }
+
+void QGCFileDownload::setIgnoreSSLErrorsIfNeeded(QNetworkReply& networkReply)
+{
+    // Some systems (like Ubuntu 22.04) only ship with OpenSSL 3.x, however Qt 5.15.2 links against OpenSSL 1.x.
+    // This results in unresolved symbols for EVP_PKEY_base_id and SSL_get_peer_certificate.
+    // To still get a connection we have to ignore certificate verification (connection is still encrypted but open to MITM attacks)
+    // See https://bugreports.qt.io/browse/QTBUG-115146
+    const bool sslLibraryBuildIs1x = (QSslSocket::sslLibraryBuildVersionNumber() & 0xf0000000) == 0x10000000;
+    const bool sslLibraryIs3x = (QSslSocket::sslLibraryVersionNumber() & 0xf0000000) == 0x30000000;
+    if (sslLibraryBuildIs1x && sslLibraryIs3x) {
+        qWarning() << "Ignoring ssl certificates due to OpenSSL version mismatch";
+        QList<QSslError> errorsThatCanBeIgnored;
+        errorsThatCanBeIgnored << QSslError(QSslError::NoPeerCertificate);
+        networkReply.ignoreSslErrors(errorsThatCanBeIgnored);
+    }
+}

src/QGCFileDownload.h

@@ -25,6 +25,8 @@ public:
     /// @return true: Asynchronous download has started, false: Download initialization failed
     bool download(const QString& remoteFile, const QVector<QPair<QNetworkRequest::Attribute, QVariant>>& requestAttributes={}, bool redirect = false);
 
+    static void setIgnoreSSLErrorsIfNeeded(QNetworkReply& networkReply);
+
 signals:
     void downloadProgress(qint64 curr, qint64 total);
     void downloadComplete(QString remoteFile, QString localFile, QString errorMsg);

src/QtLocationPlugin/QGCMapTileSet.cpp

@@ -19,6 +19,7 @@
 #include "QGCMapEngine.h"
 #include "QGCMapTileSet.h"
 #include "QGCMapEngineManager.h"
+#include "QGCFileDownload.h"
 #include "TerrainTile.h"
 
 #include <QSettings>
@@ -249,6 +250,7 @@ void QGCCachedTileSet::_prepareDownload()
 #endif
             QNetworkReply* reply = _networkManager->get(request);
             reply->setParent(0);
+            QGCFileDownload::setIgnoreSSLErrorsIfNeeded(*reply);
             connect(reply, &QNetworkReply::finished, this, &QGCCachedTileSet::_networkReplyFinished);
             connect(reply, &QNetworkReply::errorOccurred, this, &QGCCachedTileSet::_networkReplyError);
             _replies.insert(tile->hash(), reply);

src/Terrain/TerrainQuery.cc

@@ -10,6 +10,7 @@
 #include "TerrainQuery.h"
 #include "QGCMapEngine.h"
 #include "QGeoMapReplyQGC.h"
+#include "QGCFileDownload.h"
 #include "QGCApplication.h"
 
 #include <QUrl>
@@ -123,7 +124,7 @@ void TerrainAirMapQuery::_sendQuery(const QString& path, const QUrlQuery& urlQue
         _requestFailed();
         return;
     }
-    networkReply->ignoreSslErrors();
+    QGCFileDownload::setIgnoreSSLErrorsIfNeeded(*networkReply);
 
     connect(networkReply, &QNetworkReply::finished, this, &TerrainAirMapQuery::_requestFinished);
     connect(networkReply, &QNetworkReply::sslErrors, this, &TerrainAirMapQuery::_sslErrors);