<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
code
{mso-style-priority:99;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Seliteteksti Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoNoSpacing, li.MsoNoSpacing, div.MsoNoSpacing
{mso-style-priority:1;
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.Shkpostityyli20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.Shkpostityyli22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.Shkpostityyli23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.SelitetekstiChar
{mso-style-name:"Seliteteksti Char";
mso-style-priority:99;
mso-style-link:Seliteteksti;
font-family:"Tahoma","sans-serif";}
span.Shkpostityyli26
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:765730516;
mso-list-type:hybrid;
mso-list-template-ids:-1595907822 67698693 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="FI" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Try to study one problem at a time. You wrote:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">“This suggests that MapServer does not take into account CURL_CA_BUNDLE environment path and does not pass it to libcurl”.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">That’s not accurate, so far you only know</span><span lang="EN-US" style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">“This suggests that MapServer does not take into account CURL_CA_BUNDLE environment path and does not pass it to libcurl when MS is run as fast-cgi on IIS and it tries to read a remote SLD file ”.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">I would install ms4w with ca-bundle in a known place and try if it is possible to use the SLD then via cgi. If it works I would know that it is possible. Next I would have a try with fast-cgi. If
it still works I would know that I only need to make it to work with IIS. Myself I have only struggled with self-signed certificates when cascading WMS servers. I know how to make that work but I would not blindly trust that SLDs behave in a similar way but
I would make a quick test first.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">-Jukka Rahkonen-<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Lähettäjä:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Robertas.Kerpys@bentley.com [mailto:Robertas.Kerpys@bentley.com]
<br>
<b>Lähetetty:</b> 6. helmikuuta 2014 10:54<br>
<b>Vastaanottaja:</b> Rahkonen Jukka (Tike); mapserver-users@lists.osgeo.org<br>
<b>Aihe:</b> RE: [mapserver-users] Make MapServer trust self-signed certificate on Windows<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Thanks Jukka, but we are using IIS 7.5 server and MapServer runs through FastCGI.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><b><span lang="EN-US" style="color:#1F497D">Robertas</span></b><span lang="EN-US" style="font-size:10.0pt;color:#1F497D"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Rahkonen Jukka (Tike) [<a href="mailto:jukka.rahkonen@mmmtike.fi">mailto:jukka.rahkonen@mmmtike.fi</a>]
<br>
<b>Sent:</b> Thursday, February 06, 2014 10:13 AM<br>
<b>To:</b> Robertas Kerpys; 'mapserver-users@lists.osgeo.org'<br>
<b>Subject:</b> Re: [mapserver-users] Make MapServer trust self-signed certificate on Windows<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Hi,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">I seem to have this setting done in Apache’s httpd.conf file as</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">SetEnv CURL_CA_BUNDLE "d:/Program Files/ms4w/Apache/conf/ca-bundle/cacert.pem"</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Check if that works better, or if there happens to be a line already overriding your system wide setting.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">-Jukka Rahkonen-</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><o:p></o:p></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><a href="mailto:Robertas.Kerpys@bentley.com"><span lang="EN-US">Robertas.Kerpys@bentley.com</span></a>
</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">wrote:</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNoSpacing"><span lang="EN-US">Hi Folks,</span><o:p></o:p></p>
<p class="MsoNoSpacing"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNoSpacing"><span class="apple-converted-space"><span lang="EN-US" style="color:black">I </span></span><span lang="EN-US" style="color:black">want to access MapServer SLD resource via secure connection. I've set up SSL on IIS for my web site successfully
using a self-signed certificate. Then I added self-signed certificate into a curl-ca-bundle.crt certificate file and set CURL_CA_BUNDLE system level environment variable pointing to curl-ca-bundle.crt file.</span><o:p></o:p></p>
<p class="MsoNoSpacing" style="orphans: auto;widows: auto;-webkit-text-stroke-width: 0px;background-position:initial initial;background-repeat:initial initial;word-spacing:0px">
<span lang="EN-US" style="color:black">Aforementioned steps are covered in the following resources:</span><o:p></o:p></p>
<p class="MsoNoSpacing" style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="font-family:Wingdings"><span style="mso-list:Ignore">§<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="color:black;border:none windowtext 1.0pt;padding:0cm"><a href="http://mapserver.org/ogc/wxs_secure.html">How to set up MapServer as a client to access a service over https</a></span><o:p></o:p></p>
<p class="MsoNoSpacing" style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="font-family:Wingdings"><span style="mso-list:Ignore">§<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="color:black"><a href="http://blog.gisinternals.com/2010/12/daily-built-binary-packages-for.html"><span style="color:#4A6B82;border:none windowtext 1.0pt;padding:0cm">MapServer with OpenSSL support</span></a></span><o:p></o:p></p>
<p class="MsoNoSpacing"><span lang="EN-US" style="color:black"> </span><o:p></o:p></p>
<p class="MsoNoSpacing"><span lang="EN-US" style="color:black">Unfortunately this configuration does not work and curl throws invalid certificate exception when accessing the following URL:</span><span class="apple-converted-space"><span lang="EN-US" style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black"> </span></span><span lang="EN-US" style="font-size:9.0pt;font-family:Consolas"><a href="https://domain/cgi-bin/mapserv.exe?map=name1.map&LAYERS=SPECIFICLAYER&TRANSPARENT=TRUE&SLD=https%3A%2F%2Fdomain%2Fcgi-bin%2F%2Fsld.xml&SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap">https://domain/cgi-bin/mapserv.exe?map=name1.map&LAYERS=SPECIFICLAYER&TRANSPARENT=TRUE&SLD=https%3A%2F%2Fdomain%2Fcgi-bin%2F%2Fsld.xml&SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap</a></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span lang="EN-US" style="font-size:9.0pt;font-family:Consolas"><?xml version='1.0' encoding="ISO-8859-1" standalone="no" ?></span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span lang="EN-US" style="font-size:9.0pt;font-family:Consolas"><!DOCTYPE ServiceExceptionReport SYSTEM "<a href="http://schemas.opengis.net/wms/1.1.1/exception_1_1_1.dtd">http://schemas.opengis.net/wms/1.1.1/exception_1_1_1.dtd</a>"></span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span lang="EN-US" style="font-size:9.0pt;font-family:Consolas"><ServiceExceptionReport version="1.1.1"></span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span lang="EN-US" style="font-size:9.0pt;font-family:Consolas"><ServiceException></span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span lang="EN-US" style="font-size:9.0pt;font-family:Consolas">msSLDApplySLDURL: WMS server error. Could not open SLD
<a href="https://domain/cgi-bin/sld.xml">https://domain/cgi-bin//sld.xml</a> and save it in temporary file C:\Windows\TEMP\52f0d577_1380_0.sld.xml. Please make sure that the sld url is valid and that the temporary path is set. The temporary path can be defined
for example by setting TMPPATH in the map file. Please check the MapServer documentation on temporary path settings.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span lang="EN-US" style="font-size:9.0pt;font-family:Consolas">msHTTPExecuteRequests(): HTTP request error. HTTP: request failed with curl error code 60 (SSL certificate problem, verify that the CA cert is OK.
Details:</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span lang="EN-US" style="font-size:9.0pt;font-family:Consolas">error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed) for
<a href="https://domain/cgi-bin/sld.xml">https://domain/cgi-bin//sld.xml</a></span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span lang="EN-US" style="font-size:9.0pt;font-family:Consolas"></ServiceException></span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span lang="EN-US" style="font-size:9.0pt;font-family:Consolas"></ServiceExceptionReport></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNoSpacing"><span lang="EN-US">If curl is used separately it doesn't throw the certificate exception when used with the same curl-ca-bundle.crt file. This suggests that MapServer does not take into account CURL_CA_BUNDLE environment path and does
not pass it to libcurl. But according to<span class="apple-converted-space"><span style="color:black"> </span></span><a href="https://github.com/mapserver/mapserver/blob/7f3e75cbc277b19774dc7030b76b92985f9690c6/maphttp.c"><span style="color:#4A6B82;border:none windowtext 1.0pt;padding:0cm">MapServer
code</span></a><span class="apple-converted-space"><span style="color:black"> </span></span>it should check for CURL_CA_BUNDLE environment variable and if set use it for cURL. However this doesn't seem to be the case.</span><o:p></o:p></p>
<p class="MsoNoSpacing" style="orphans: auto;widows: auto;-webkit-text-stroke-width: 0px;background-position:initial initial;background-repeat:initial initial;word-spacing:0px">
<span lang="EN-US">I even restarted my server for IIS process to pick up new environment variables:<span class="apple-converted-space"><span style="color:black"> </span></span><a href="http://geographika.co.uk/reboot-to-refresh-environment-variables"><span style="color:#4A6B82;border:none windowtext 1.0pt;padding:0cm">http://geographika.co.uk/reboot-to-refresh-environment-variables</span></a></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Am I missing something?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><b><span lang="EN-US">Robertas</span></b><o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>