#6732 closed defect (fixed)
Add support for CURL_CA_BUNDLE to vsicurl
Reported by: | sgillies | Owned by: | warmerdam |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | default | Version: | unspecified |
Severity: | normal | Keywords: | |
Cc: |
Description
I'd like to see GDAL's vsicurl handler support cert files in non-standard locations by using curl's CURL_CA_BUNDLE environment variable. The way this works in curl is that the value of CURL_CA_BUNDLE or SSL_CERT_FILE is used as the argument to, for example, curl_easy_setopt(hCurlHandle, CURLOPT_CAINFO, "/foo/bar")
. The curl program behaves like this:
$ CURL_CA_BUNDLE=/foo/bar curl -I https://sgillies.net curl: (77) error setting certificate verify locations: CAfile: /foo/bar CApath: none
$ CURL_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt curl -I https://sgillies.net HTTP/1.1 200 OK Server: nginx/1.4.6 (Ubuntu) Date: Mon, 28 Nov 2016 16:13:23 GMT Content-Type: text/html Content-Length: 33052 Last-Modified: Mon, 28 Nov 2016 08:20:37 GMT Connection: keep-alive ETag: "583be8d5-811c" Accept-Ranges: bytes
I regard this as a bug. If fixed, we can make binary Rasterio wheels with vsicurl and vsis3 support that are more portable. The current state of affairs is that a GDAL library has the build system's default SSL cert path baked in and it can't be changed, requiring some users to copy their certs to the expected location.
A couple new lines in cpl_vsil_curl.cpp is all it will take.
In 36550: