Opened 15 years ago
Closed 15 years ago
#3007 closed defect (fixed)
Add a way to specify location of CA bundle for Curl+SSL to work
Reported by: | dmorissette | Owned by: | dmorissette |
---|---|---|---|
Priority: | normal | Milestone: | 6.0 release |
Component: | MapServer C Library | Version: | unspecified |
Severity: | normal | Keywords: | |
Cc: | sdlime, adube, nsavard, jmckenna, bfischer |
Description
The problem:
Building MapServer with Curl+SSL is not sufficient to enable https connections to WMS/WFS servers. Curl also needs to be able to find the Certificate Authority (CA) bundle. More info about this at http://curl.haxx.se/docs/sslcerts.html
In most cases everything works out of the box: Curl installs a CA bundle automatically (during make install) and looks for it in some default locations.
however, if you use a custom build, or have an odd setup such as in the FGS and MS4W cases, then you may need a mechanism to specify a different location for the CA bundle at runtime.
The solution:
A possible solution is to follow what the curl command-line tool does and allow setting a CURL_CA_BUNDLE environment variable which is the location of the CA bundle file e.g.
export CURL_CA_BUNDLE=/path/to/my-ca-bundle.txt
... or in a mapfile using a CONFIG directive:
CONFIG "CURL_CA_BUNDLE" "/path/to/my-ca-bundle.txt"
.. this value would be passed to libcurl via curl_easy_setopt(curl, CURLOPT_CAINFO, ...);. This is what OpenOffice does too.
See http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTCAINFO
In addition, we could also provide a mechanism to disable certificate validation, by setting CURLOPT_SSL_VERIFYPEER
See http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYPEER
Change History (4)
comment:1 by , 15 years ago
Cc: | added |
---|
comment:2 by , 15 years ago
Status: | new → assigned |
---|
comment:4 by , 15 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Fixed. CURL_CA_BUNDLE documented in EnvironmentVariables
Done in SVN trunk r9016.
Note that I implemented only support for the CURL_CA_BUNDLE environment variable.
Contrary to what I suggested in the opening comment of this ticket, I did not implement support for a CONFIG directive since that would have required passing a maoObj handle down in the Curl code and I didn't think that was worth the trouble.
Leaving ticket open for docs update.