[Geomoose-users] Identify with a https WMS source

James Klassen klassen.js at gmail.com
Mon Feb 6 10:27:08 PST 2017


Again without a valid certificate signed by a trusted* certificate
authority there is no additional security achieved by https over http.

Trusted is an important keyword there.  If this is for private/internal
use, an organization is free to setup an its own certificate authority and
add that authority as a trusted authority on its clients.  This is actually
more common than you might think with SSL VPNs and IIRC is even part of
Active Directory.  If done right, this can be even more secure than relying
on the public certificate authorities because you have full control and
aren't trusting an outside organization.

For public use, the certificate really needs to be signed by a trusted CA
to provide any protection (otherwise anyone in a position to read/modify
the unencrypted http traffic could just as easily spoof the unsigned https
certificate).  If money is the issue, I would recommend looking at some of
the free CAs such as LetsEncrypt.


On Feb 6, 2017 12:01 PM, "Mark Volz" <MarkVolz at co.lyon.mn.us> wrote:

Hi,



Just to add my two cents in here.  Some organizations might want to have
https enabled, but do not have a need that justifies purchasing a ssl
certificate…



Thanks



Sincerely,

*Mark Volz, GISP*



*From:* Geomoose-users [mailto:geomoose-users-bounces at lists.osgeo.org] *On
Behalf Of *Brent Fraser
*Sent:* Monday, February 06, 2017 10:14 AM
*To:* James Klassen <klassen.js at gmail.com>
*Cc:* GeoMOOSE Users List <geomoose-users at lists.osgeo.org>
*Subject:* Re: [Geomoose-users] Identify with a https WMS source



Hey Jim,

  I think our WMS server's certificate is ok (no errors shown) but I'll
confirm that.  It could be my PHP config so I will look into that too.

  Thanks!

Best Regards,

Brent Fraser

On 2/6/2017 9:06 AM, James Klassen wrote:

Not a PHP expert here so I am not sure how to go about f:bding the root
error message, but with every other language I have used, only working with
the checks disabled means there was a certificate error so either the https
server's certificate is bad (easy to chec, a web browser would also show a
warning when visiting the site) or that the client program can't find the
it's list of trusted certificate authorities (and so will think all
certificates are invalid).



The best fix would be to figure out why the certificate isn't validating
and fix that.



If you need to talk to a server with a bad certificate, can't fix the
server, and don't care if the connection is secure, then turning off the
checks is a work around.



On Feb 6, 2017 9:41 AM, "Brent Fraser" <bfraser at geoanalytic.com> wrote:

Otherwise no text is available in $gml after:

        $gml = curl_exec($curlHandle);

but maybe there is a better solution?



Best Regards,

Brent Fraser

On 2/6/2017 7:29 AM, James Klassen wrote:

Why do you need those options? Generally,! disabling the certificate checks
isn't a good idea.









On Feb 5, 2017 8:45 PM, "Brent Fraser" <bfraser at geoanalytic.com> wrote:

Hi all,

  To get identify.php to work when I specify a WMS map-source using https
(instead of the old and out-dated http), I had to add a couple of curl
options to identify.php around line 196:

        curl_setopt($curlHandle, CURLOPT_SSL_VERIFYHOST, 0);
        curl_setopt($curlHandle, CURLOPT_SSL_VERIFYPEER, 0);

Should I file an issue or is this already handled in 3.0?

And what's with hardcoding "INFO_FORMAT=application/vnd.ogc.gml" into the
request?  Should we make that configurable in the map-source definition?

Thanks!

-- 
Best Regards,
Brent Fraser


_______________________________________________
Geomoose-users mailing list
Geomoose-users at lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/geomoose-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-users/attachments/20170206/cad95903/attachment-0001.html>


More information about the Geomoose-users mailing list