[gdal-dev] libcurl and the certificates and Windows

Joaquim Luis jluis at ualg.pt
Sat Jun 3 10:29:34 PDT 2017


For reference

https://github.com/curl/curl/issues/1538


> On Sat, 03 Jun 2017 17:22:33 +0100, Even Rouault  
> <even.rouault at spatialys.com> wrote:
>
>>
>> On samedi 3 juin 2017 17:04:07 CEST Joaquim Luis wrote:
>>
>>> Hi,
>>
>>>
>>
>>> For quite some time I cannot use the 'vsis' because of certificates  
>>> issue.
>>
>>> For example, a GMT test that has a command like this no longer works on
>>
>>> Windows
>>
>>>
>>
>>> gdalinfo
>>
>>> /vsicurl/http://larryfire.files.wordpress.com/2009/07/untooned_jessicarabbit
>>
>>> .jpg
>>
>>>
>>
>>> because
>>
>>>
>>
>>> ERROR 11: HTTP response code: 301 - SSL certificate problem: unable to  
>>> get
>>
>>> local issuer certificate
>>
>>> gdalinfo failed - unable to open
>>
>>> '/vsicurl/http://larryfire.files.wordpress.com/2009/07/untooned_jessicarabbi
>>
>>> t.jpg'.
>>
>>>
>>
>>> It used to work but probably with an older libcurl dll.
>>
>>> The above is with my own build gdal and dependencies (libcurl included)
>>
>>> but the same happens with the gisinternals binaries.
>>
>>>
>>
>>> I have re(and re)ad this page about the certificates
>>
>>>
>>
>>> https://curl.haxx.se/docs/sslcerts.html
>>
>>>
>>
>>> but regarding Windows and the curl-ca-bundle.crt file what is said  
>>> about
>>
>>> it simply does not work. The only thing that works is setting the ENV
>>
>>> variable
>>
>>>
>>
>>> set CURL_CA_BUNDLE=V:\bin\curl-ca-bundle.crt
>>
>>>
>>
>>> Now, we had this in GMT recently and I used the nuke option
>>
>>>
>>
>>> curl_easy_setopt (Curl, CURLOPT_SSL_VERIFYPEER, 0L); /* Tell libcurl to
>>
>>> not verify the peer */
>>
>>>
>>
>>> so tried to do the same thing in the GDAL code (the obvious point  
>>> seamed
>>
>>> to be VSICurlSetOptions in cpl_vsi_curl.cpp) but still does not work.
>>
>>
>> Someone reported to me a similar issue with recent OSGeo4W.
>>
>>
>> Did you try setting GDAL_HTTP_UNSAFESSL=YES? This is taken into account  
>> in CPLHTTPSetOptions() that is called by VSICurlSetOptions(), >>and  
>> this set CURLOPT_SSL_VERIFYPEER=0 and CURLOPT_SSL_VERIFYHOST=0.
>>
>>
>> This solved the issue.
>>
>>
>
> Thanks, yes that works too (and, no I hadn't tried it before) although  
> it's a different solution than setting  CURL_CA_BUNDLE , which does not  
> turn >out the certificates verification.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/gdal-dev/attachments/20170603/825d5801/attachment.html>


More information about the gdal-dev mailing list