Summary

TLS options (such as custom CAs or validation) can't be set in QML for http requests (via  XMLHttpRequest), thus making QML useless for talking to devices such as smart hubs that don't use system trusted CAs 

Problem

I develop a small applet that has to be pure QML, no C++ or other compiled sources (due to it being a KDE Plasmoid, a sort of small desktop widget, that can be distributed without binaries.) This applet talks to a smart hub by Philips / Signify for smart lights.

They use a custom CA that is available as PEM, however, QML does not provide any way to inject such a custom CA. Also the certificate subject needs to be overriden or not validated, as that is obviously different for everyone for a local device.

XMLHttpRequest, however, does not only not expose any TLS options, it simply silently fails (with a status of 0) if it doesn't like a certificate presented on a https connection. This makes it completely useless and thus QML unfit to communicate with local network devices such as smart devices.

How to reproduce

Have a small httpd server that does https, but with a custom certificate that is not in your local sytems trust. 

Try to talk to that webserver via pure qml. You can't. 

Proposed solution

Expose TLS options in QML to allow injecting custom CAs into the trust and disable selected validations, such as subject name.