Opened 10 years ago

Closed 6 years ago

#3882 closed defect (fixed)

GDAL WMS driver should skip ssl verification and support authentication

Reported by: atte Owned by: nowakpl
Priority: normal Milestone:
Component: default Version: svn-trunk
Severity: normal Keywords:
Cc: jukka.rahkonen@…

Description

...because that's what the WCS driver does in trunk (port/cpl_http.cpp).

wms driver (frmts/wms/gdalhttp.cpp) doesn't skip ssl verification, so you can't connect to a server that's using self-signed cert.

Authentication works if you pass the username and password in url (https://<username>:<password>@<host>/...), but it would be better do it like in wcs via <UserPwd?> for consistency and to support different auth types <HttpAuth?> (#3091).

Change History (8)

comment:1 Changed 10 years ago by atte

Plus, it would be nice if at least ssl verification skipping would be added to 1.7 branch also since the change is simple one liner:

curl_easy_setopt(<curl_handle>, CURLOPT_SSL_VERIFYPEER, FALSE);

At the moment, no driver in 1.7 skips ssl verification, afaict.

comment:2 Changed 10 years ago by Jukka Rahkonen

Cc: jukka.rahkonen@… added

comment:3 Changed 10 years ago by Even Rouault

Could you confirm that what you need is the patch attached to #3510 ?

comment:4 Changed 10 years ago by nowakpl

Owner: changed from warmerdam to nowakpl
Status: newassigned

Possible fix in r21304, add <UnsafeSSL>true</UnsafeSSL> inside <GDAL_WMS>. I don't have any https server with wms so can't really test.

comment:5 Changed 10 years ago by atte

Eh sorry. My quick search didn't hit #3510. This ticket is really a duplicate of that.

I tested the Autentication patch from #3510 against r21303 and I can confirm that it fixes my problem.

I tested r21304 also. It works also. I had little trouble at first when I tried to add <UnsafeSSL> as a child of <Service> until I figured that it's a child of <GDAL_WMS> itself. Imho, it would make more sense under <Service>.

My vote goes to the patch in #3510 (and backing out r21304). The solution there seems consistent with wcs.

comment:6 Changed 9 years ago by atte

Now that 1.8 is out, http://www.gdal.org/frmt_wms.html needs to be updated for <UnsafeSSL>.

comment:7 Changed 6 years ago by Jukka Rahkonen

The work is done but <UnsafeSSL>true</UnsafeSSL> is still missing from http://www.gdal.org/frmt_wms.html

comment:8 Changed 6 years ago by Jukka Rahkonen

Resolution: fixed
Status: assignedclosed

Documented in r28145.

Note: See TracTickets for help on using tickets.