[gdal-dev] libcurl and the certificates and Windows
Joaquim Luis
jluis at ualg.pt
Sat Jun 3 09:38:35 PDT 2017
On Sat, 03 Jun 2017 17:22:33 +0100, Even Rouault
<even.rouault at spatialys.com> wrote:
>
> On samedi 3 juin 2017 17:04:07 CEST Joaquim Luis wrote:
>
>> Hi,
>
>>
>
>> For quite some time I cannot use the 'vsis' because of certificates
>> issue.
>
>> For example, a GMT test that has a command like this no longer works on
>
>> Windows
>
>>
>
>> gdalinfo
>
>> /vsicurl/http://larryfire.files.wordpress.com/2009/07/untooned_jessicarabbit
>
>> .jpg
>
>>
>
>> because
>
>>
>
>> ERROR 11: HTTP response code: 301 - SSL certificate problem: unable to
>> get
>
>> local issuer certificate
>
>> gdalinfo failed - unable to open
>
>> '/vsicurl/http://larryfire.files.wordpress.com/2009/07/untooned_jessicarabbi
>
>> t.jpg'.
>
>>
>
>> It used to work but probably with an older libcurl dll.
>
>> The above is with my own build gdal and dependencies (libcurl included)
>
>> but the same happens with the gisinternals binaries.
>
>>
>
>> I have re(and re)ad this page about the certificates
>
>>
>
>> https://curl.haxx.se/docs/sslcerts.html
>
>>
>
>> but regarding Windows and the curl-ca-bundle.crt file what is said about
>
>> it simply does not work. The only thing that works is setting the ENV
>
>> variable
>
>>
>
>> set CURL_CA_BUNDLE=V:\bin\curl-ca-bundle.crt
>
>>
>
>> Now, we had this in GMT recently and I used the nuke option
>
>>
>
>> curl_easy_setopt (Curl, CURLOPT_SSL_VERIFYPEER, 0L); /* Tell libcurl to
>
>> not verify the peer */
>
>>
>
>> so tried to do the same thing in the GDAL code (the obvious point seamed
>
>> to be VSICurlSetOptions in cpl_vsi_curl.cpp) but still does not work.
>
>
> Someone reported to me a similar issue with recent OSGeo4W.
>
>
> Did you try setting GDAL_HTTP_UNSAFESSL=YES? This is taken into account
> in CPLHTTPSetOptions() that is called by VSICurlSetOptions(), and >this
> set CURLOPT_SSL_VERIFYPEER=0 and CURLOPT_SSL_VERIFYHOST=0.
>
>
> This solved the issue.
>
>
Thanks, yes that works too (and, no I hadn't tried it before) although
it's a different solution than setting CURL_CA_BUNDLE , which does not
turn out the certificates verification.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/gdal-dev/attachments/20170603/3bfc07a4/attachment-0001.html>
More information about the gdal-dev
mailing list