[gdal-dev] libcurl and the certificates and Windows

Mon Jun 5 12:07:24 PDT 2017

I'd like to add that I think an option like GDAL_HTTP_CA_CERT_FILE or GDAL_HTTP_CA_CERT_PATH would be useful to have.

In our applications, usage of libcurl outside of GDAL sets the CURLOPT_CAINFO to point to our certificate bundle, but, for GDAL, we instead set GDAL_HTTP_UNSAFESSL=YES. Had that option existed, I'm sure we would have used it.

That being said, I still feel that, for Windows, using the Certificate Stores is what makes the most sense. That way, in an organizational setting, certificates can be managed via the domain instead of having to configure each workstation separately. That would involve building libcurl with SChannel support instead of OpenSSL. From I can tell, that would only work for Windows XP onwards.

André

From: gdal-dev [mailto:gdal-dev-bounces at lists.osgeo.org] On Behalf Of Joaquim Luis
Sent: Saturday, June 3, 2017 14:30
To: gdal-dev at lists.osgeo.org; Even Rouault <even.rouault at spatialys.com>; Joaquim Luis <jluis at ualg.pt>
Subject: Re: [gdal-dev] libcurl and the certificates and Windows

For reference

https://github.com/curl/curl/issues/1538

On Sat, 03 Jun 2017 17:22:33 +0100, Even Rouault <even.rouault at spatialys.com<mailto:even.rouault at spatialys.com>> wrote:

On samedi 3 juin 2017 17:04:07 CEST Joaquim Luis wrote:

> Hi,

>

> For quite some time I cannot use the 'vsis' because of certificates issue.

> For example, a GMT test that has a command like this no longer works on

> Windows

>

> gdalinfo

> /vsicurl/http://larryfire.files.wordpress.com/2009/07/untooned_jessicarabbit

> .jpg

>

> because

>

> ERROR 11: HTTP response code: 301 - SSL certificate problem: unable to get

> local issuer certificate

> gdalinfo failed - unable to open

> '/vsicurl/http://larryfire.files.wordpress.com/2009/07/untooned_jessicarabbi

> t.jpg'.

>

> It used to work but probably with an older libcurl dll.

> The above is with my own build gdal and dependencies (libcurl included)

> but the same happens with the gisinternals binaries.

>

> I have re(and re)ad this page about the certificates

>

> https://curl.haxx.se/docs/sslcerts.html

>

> but regarding Windows and the curl-ca-bundle.crt file what is said about

> it simply does not work. The only thing that works is setting the ENV

> variable

>

> set CURL_CA_BUNDLE=V:\bin\curl-ca-bundle.crt

>

> Now, we had this in GMT recently and I used the nuke option

>

> curl_easy_setopt (Curl, CURLOPT_SSL_VERIFYPEER, 0L); /* Tell libcurl to

> not verify the peer */

>

> so tried to do the same thing in the GDAL code (the obvious point seamed

> to be VSICurlSetOptions in cpl_vsi_curl.cpp) but still does not work.

Someone reported to me a similar issue with recent OSGeo4W.

Did you try setting GDAL_HTTP_UNSAFESSL=YES? This is taken into account in CPLHTTPSetOptions() that is called by VSICurlSetOptions(), and this set CURLOPT_SSL_VERIFYPEER=0 and CURLOPT_SSL_VERIFYHOST=0.

This solved the issue.

Thanks, yes that works too (and, no I hadn't tried it before) although it's a different solution than setting  CURL_CA_BUNDLE , which does not turn out the certificates verification.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/gdal-dev/attachments/20170605/16a524fe/attachment.html>