#6734 closed defect (fixed)
CPLHTTPFetch(): CURLOPT_SSL_VERIFYPEER disabled
Reported by: | Even Rouault | Owned by: | Even Rouault |
---|---|---|---|
Priority: | normal | Milestone: | 2.2.0 |
Component: | default | Version: | unspecified |
Severity: | normal | Keywords: | http |
Cc: | sgillies |
Description
CPLHTTPFetch() disables CURLOPT_SSL_VERIFYPEER check, which means that invalid certificates from server are accepted.
I did a bit of software archeology and this was added 7 years ago per https://trac.osgeo.org/gdal/changeset/19162 Which is a huge changeset for RFC 24 - progressive/async raster reading. I guess that the person who contributed this RFC had a need for a hack for the needs of the JPIPKAK driver, so as to be able to connect to JPIP servers with self signed certificates.
Later in https://trac.osgeo.org/gdal/changeset/25661, I apparently migrated the UNSAFESSL option which was specific to the WMS driver code to a new general purpose function CPLHTTPSetOptions(). I probably let the CURLOPT_SSL_VERIFYPEER=FALSE in CPLHTTPFetch() so as not to change the existing behaviour.
Now that the UNSAFESSL option is available, it doesn't seem necessary to unconditionnaly disable CURLOPT_SSL_VERIFYPEER.
Change History (2)
comment:1 by , 8 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
comment:2 by , 8 years ago
Milestone: | → 2.2.0 |
---|
Travis builds seems to be happy with that change. I'm a bit hesitant in backporting this in the 2.1 branch as it might break users that relied, knowingly or not, on certificates not being verified (e.g. if running servers with self-signed certificates).
In 36567: