Opened 9 years ago

Closed 5 years ago

#3882 closed defect (fixed)

GDAL WMS driver should skip ssl verification and support authentication

Reported by: atte Owned by: nowakpl
Priority: normal Milestone:
Component: default Version: svn-trunk
Severity: normal Keywords:
Cc: jukka.rahkonen@…

Description

...because that's what the WCS driver does in trunk (port/cpl_http.cpp).

wms driver (frmts/wms/gdalhttp.cpp) doesn't skip ssl verification, so you can't connect to a server that's using self-signed cert.

Authentication works if you pass the username and password in url (https://<username>:<password>@<host>/...), but it would be better do it like in wcs via <UserPwd?> for consistency and to support different auth types <HttpAuth?> (#3091).

Change History (8)

comment:1 Changed 9 years ago by atte

Plus, it would be nice if at least ssl verification skipping would be added to 1.7 branch also since the change is simple one liner:

curl_easy_setopt(<curl_handle>, CURLOPT_SSL_VERIFYPEER, FALSE);

At the moment, no driver in 1.7 skips ssl verification, afaict.

comment:2 Changed 9 years ago by Jukka Rahkonen

Cc: jukka.rahkonen@… added

comment:3 Changed 9 years ago by Even Rouault

Could you confirm that what you need is the patch attached to #3510 ?

comment:4 Changed 9 years ago by nowakpl

Owner: changed from warmerdam to nowakpl
Status: newassigned

Possible fix in r21304, add <UnsafeSSL>true</UnsafeSSL> inside <GDAL_WMS>. I don't have any https server with wms so can't really test.

comment:5 Changed 9 years ago by atte

Eh sorry. My quick search didn't hit #3510. This ticket is really a duplicate of that.

I tested the Autentication patch from #3510 against r21303 and I can confirm that it fixes my problem.

I tested r21304 also. It works also. I had little trouble at first when I tried to add <UnsafeSSL> as a child of <Service> until I figured that it's a child of <GDAL_WMS> itself. Imho, it would make more sense under <Service>.

My vote goes to the patch in #3510 (and backing out r21304). The solution there seems consistent with wcs.

comment:6 Changed 9 years ago by atte

Now that 1.8 is out, http://www.gdal.org/frmt_wms.html needs to be updated for <UnsafeSSL>.

comment:7 Changed 6 years ago by Jukka Rahkonen

The work is done but <UnsafeSSL>true</UnsafeSSL> is still missing from http://www.gdal.org/frmt_wms.html

comment:8 Changed 5 years ago by Jukka Rahkonen

Resolution: fixed
Status: assignedclosed

Documented in r28145.

Note: See TracTickets for help on using tickets.