Add a way to specify location of CA bundle for Curl+SSL to work

[dmorissette]

The problem:

Building MapServer with Curl+SSL is not sufficient to enable https connections to WMS/WFS servers. Curl also needs to be able to find the Certificate Authority (CA) bundle. More info about this at ​http://curl.haxx.se/docs/sslcerts.html

In most cases everything works out of the box: Curl installs a CA bundle automatically (during make install) and looks for it in some default locations.

however, if you use a custom build, or have an odd setup such as in the FGS and MS4W cases, then you may need a mechanism to specify a different location for the CA bundle at runtime.

The solution:

A possible solution is to follow what the curl command-line tool does and allow setting a CURL_CA_BUNDLE environment variable which is the location of the CA bundle file e.g.

export CURL_CA_BUNDLE=/path/to/my-ca-bundle.txt

... or in a mapfile using a CONFIG directive:

CONFIG "CURL_CA_BUNDLE" "/path/to/my-ca-bundle.txt"

.. this value would be passed to libcurl via curl_easy_setopt(curl, CURLOPT_CAINFO, ...);. This is what OpenOffice does too.
See ​http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTCAINFO

In addition, we could also provide a mechanism to disable certificate validation, by setting CURLOPT_SSL_VERIFYPEER
See ​http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYPEER

[dmorissette]

Done in SVN trunk r9016.

Note that I implemented only support for the CURL_CA_BUNDLE environment variable.

Contrary to what I suggested in the opening comment of this ticket, I did not implement support for a CONFIG directive since that would have required passing a maoObj handle down in the Curl code and I didn't think that was worth the trouble.

Leaving ticket open for docs update.

[dmorissette]

Backported to branch-5-4 r9017 (will be in 5.4.1)

[dmorissette]

Fixed. CURL_CA_BUNDLE documented in EnvironmentVariables