<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I’d like to add that I think an option like GDAL_HTTP_CA_CERT_FILE or GDAL_HTTP_CA_CERT_PATH would be useful to have.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In our applications, usage of libcurl outside of GDAL sets the CURLOPT_CAINFO to point to our certificate bundle, but, for GDAL, we instead set GDAL_HTTP_UNSAFESSL=YES.
Had that option existed, I’m sure we would have used it.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">That being said, I still feel that, for Windows, using the Certificate Stores is what makes the most sense. That way, in an organizational setting, certificates
can be managed via the domain instead of having to configure each workstation separately. That would involve building libcurl with SChannel support instead of OpenSSL. From I can tell, that would only work for Windows XP onwards.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Andr</span><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">é<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> gdal-dev [mailto:gdal-dev-bounces@lists.osgeo.org]
<b>On Behalf Of </b>Joaquim Luis<br>
<b>Sent:</b> Saturday, June 3, 2017 14:30<br>
<b>To:</b> gdal-dev@lists.osgeo.org; Even Rouault <even.rouault@spatialys.com>; Joaquim Luis <jluis@ualg.pt><br>
<b>Subject:</b> Re: [gdal-dev] libcurl and the certificates and Windows<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">For reference<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><a href="https://github.com/curl/curl/issues/1538">https://github.com/curl/curl/issues/1538</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 6.0pt;margin-left:0in;margin-right:0in;margin-bottom:4.8pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt">On Sat, 03 Jun 2017 17:22:33 +0100, Even Rouault <<a href="mailto:even.rouault@spatialys.com">even.rouault@spatialys.com</a>> wrote:<o:p></o:p></span></p>
<blockquote style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 6.0pt;margin-left:0in;margin-right:0in;margin-bottom:4.8pt">
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">On samedi 3 juin 2017 17:04:07 CEST Joaquim Luis wrote:<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> Hi,<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> For quite some time I cannot use the 'vsis' because of certificates issue.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> For example, a GMT test that has a command like this no longer works on<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> Windows<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> gdalinfo<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> /vsicurl/http://larryfire.files.wordpress.com/2009/07/untooned_jessicarabbit<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> .jpg<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> because<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> ERROR 11: HTTP response code: 301 - SSL certificate problem: unable to get<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> local issuer certificate<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> gdalinfo failed - unable to open<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> '/vsicurl/http://larryfire.files.wordpress.com/2009/07/untooned_jessicarabbi<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> t.jpg'.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> It used to work but probably with an older libcurl dll.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> The above is with my own build gdal and dependencies (libcurl included)<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> but the same happens with the gisinternals binaries.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> I have re(and re)ad this page about the certificates<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">>
<a href="https://curl.haxx.se/docs/sslcerts.html">https://curl.haxx.se/docs/sslcerts.html</a><o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> but regarding Windows and the curl-ca-bundle.crt file what is said about<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> it simply does not work. The only thing that works is setting the ENV<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> variable<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> set CURL_CA_BUNDLE=V:\bin\curl-ca-bundle.crt<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> Now, we had this in GMT recently and I used the nuke option<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> curl_easy_setopt (Curl, CURLOPT_SSL_VERIFYPEER, 0L); /* Tell libcurl to<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> not verify the peer */<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> so tried to do the same thing in the GDAL code (the obvious point seamed<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">> to be VSICurlSetOptions in cpl_vsi_curl.cpp) but still does not work.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-paragraph-type:empty;-qt-block-indent:0">
<span style="font-size:10.0pt"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">Someone reported to me a similar issue with recent OSGeo4W.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-paragraph-type:empty;-qt-block-indent:0">
<span style="font-size:10.0pt"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">Did you try setting GDAL_HTTP_UNSAFESSL=YES? This is taken into account in CPLHTTPSetOptions() that is called by VSICurlSetOptions(), and this set
CURLOPT_SSL_VERIFYPEER=0 and CURLOPT_SSL_VERIFYHOST=0.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-paragraph-type:empty;-qt-block-indent:0">
<span style="font-size:10.0pt"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:10.0pt">This solved the issue.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-paragraph-type:empty;-qt-block-indent:0">
<span style="font-size:10.0pt"> <o:p></o:p></span></p>
</blockquote>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Thanks, yes that works too (and, no I hadn't tried it before) although it's a different solution than setting CURL_CA_BUNDLE , which does not turn out the certificates verification. <o:p></o:p></span></p>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt"><br>
<br>
<o:p></o:p></span></p>
</div>
</div>
</body>
</html>