[gdal-dev] WMS driver and untrusted sertificate

[Jukka Rahkonen]

I was experimenting with gdal_translate and WMS driver 
(http://gdal.org/frmt_wms.html). I was running FWTools2.4.7 on Windows 
Vista and I could make it to read my own WMS from localhost.  Next I 
went on and had a try with our production server that must be accessed 
through https and basic authentication. I was guessing that it could 
be done by editing the ServerURL element in the service description 
XML file to be like

<ServerUrl>https://username:password@server.org/cgi-bin/
securedWMS?</ServerUrl>

Is this correct? I feel it may be, but I stopped to the following error

ERROR 1: GDALWMS: Unable to download block 0, 0.
  URL: https://username:password@server.org/cgi-bin/securedWMS?
request=GetMap&version=1.1.0&layers=default&styles=&srs=EPSG:3067&
format=image/jpeg&width=648&height=1024&
bbox=70500.00000000,6728185.83184258,734500.00000000,7776760.00000000


HTTP status code: 0, error: SSL certificate problem, verify that the 
CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed.

I suppose this error may come from the sertificates we are using. They 
are not normally included in the list of trusted sertificates. With Java
systems I need to add those sertificates manually into Java keystore. 
With command line wget and curl I can bypass the certificate check by 
using swithes --no-check-certificate (wget) or -k (curl).

Because FWTools seems to contain libcurl.dll I was reading thoroughly 
this document http://curl.haxx.se/docs/sslcerts.html

However, it starts to be late and I have not figured out how I could make
gdal_translate to use my own certificate file that I now have in 
PEM format, or alternatively make it just to trust that our server 
is our server because I say so. Is there some hidden configuration 
option for this?

-Jukka Rahkonen-