I don’t think so. No changes were made on my computer that I am aware of. Instead, I believe what happened was that slicer-packages.kitware.com was added to a whitelist of domains which are not run through the Zscaler inspection at the institution level. When Zscaler is on, nearly all network traffic is routed through it, as can be confirmed by checking the certificate hierarchy in a browser visiting a random web page, everything has a Zscaler certificate. However, after the change, the kitware package site no longer has a Zscaler certificate in the hierarchy. Based on this information, I think you are probably correct that turning Zscaler off may be a viable strategy for installing extensions. However, when I tried it just now, I get the same type of error in Slicer, and I still see Zscaler certificates in the browser, so I think that there is maybe some lingering of settings (maybe some of this stuff is cached?). Restarting Slicer didn’t change anything, and I haven’t tried restarting the computer yet. I work from home nearly all the time, and use the intranet over Zscaler nearly all the time. It is worth it to me to spend some troubleshooting effort to see if it’s possible to resolve this so that it “just works”.
@lassoan , I am still unclear about how to modify the Slicer.crt. As you suggest, in Chrome, on a site, I can get to a button to export a certificate, and that generates a .crt file, but the only thing in it is the block of characters between —BEGIN CERTIFICATE— and —END CERTIFICATE— tags. Is it sufficient to paste that at the bottom of the Slicer.crt file? Or is the metadata section which seems to be present for all other certificates (the version, the serial number, signature algorthim, etc) also required? Also, there seem to be multiple levels of certificates in a hierarchy, do I need to add all of them?
I can no longer use the extension manager for testing, since the exception is now in place allowing that domain to skip zscaler. So, I have been using discourse.slicer.org as the test url instead, which still gives an SSL handshake error.
def testURL(url):
request = qt.QNetworkRequest(url)
manager = qt.QNetworkAccessManager()
reply = manager.get(request)
while (not reply.isFinished()):
slicer.app.processEvents()
print(f"HTTP response code: {reply.attribute(qt.QNetworkRequest.HttpStatusCodeAttribute)}")
print(f"Error code: {reply.error()}")
print(f"ErrorString: {reply.errorString()}")
#print(reply.readAll())
return reply
failingURL = qt.QUrl("https://discourse.slicer.org") # no exception for zscaler, ssl handshake fails
passingURL = qt.QUrl("https://slicer-packages.kitware.com") # exception in place for zscaler, data returned
The passingURL returns response code 200 and the html content of the page. The failingURL returns
HTTP response code: None
Error code: 6
ErrorString: SSL handshake failed
So, I think this method seems like it will work for checking if a sufficient set of certificates has been added to Slicer.crt. I tried pasting what I got out of Chrome into the bottom of Slicer.crt, restarted Slicer, and ran this test, with no change in result. However, I don’t know if that is because I grabbed the wrong certificate (maybe I need all the certificates in the hierarchy? or just the top one? or just the bottom one?) or if it is because the certificate I tried to add was ignored because it was missing metadata or otherwise was not the proper format. For testing, do I need to restart Slicer every time I modify Slicer.crt, or is that dynamically checked each time? If there is a malformed certificate added, will any errors show up (I don’t see anything obvious in the error log, but I might also have missed something)?
@jamesobutler, to get the certificate from Chrome, I click this button next to the url in the browser window 
, then click “Connection is secure >”, then “Certificate is valid”, which pops up a window, then click on the “Details” tab, and there, there is an “Export” button in the lower right. Just discovered as I was writing this out for you that in the “Export” window, it is possible to change the file type from single certificate to certificate chain:
If I do this, for the slicer discourse site, I get a chain of four certificates, only the begin/end certificate blocks, no other metadata. I’ll try pasting this at the end of the Slicer.crt file and see if that works. It did not, same error on the failingURL.