Re: [gdal-dev] libcurl and the certificates and Windows

Sat, 03 Jun 2017 10:30:06 -0700 

For reference

https://github.com/curl/curl/issues/1538
On Sat, 03 Jun 2017 17:22:33 +0100, Even Rouault <even.roua...@spatialys.com> wrote: 



On samedi 3 juin 2017 17:04:07 CEST Joaquim Luis wrote:


Hi,
For quite some time I cannot use the 'vsis' because of certificates issue. 


For example, a GMT test that has a command like this no longer works on



Windows







gdalinfo



/vsicurl/http://larryfire.files.wordpress.com/2009/07/untooned_jessicarabbit



.jpg







because
ERROR 11: HTTP response code: 301 - SSL certificate problem: unable to get 


local issuer certificate



gdalinfo failed - unable to open



'/vsicurl/http://larryfire.files.wordpress.com/2009/07/untooned_jessicarabbi



t.jpg'.







It used to work but probably with an older libcurl dll.



The above is with my own build gdal and dependencies (libcurl included)



but the same happens with the gisinternals binaries.







I have re(and re)ad this page about the certificates







https://curl.haxx.se/docs/sslcerts.html
but regarding Windows and the curl-ca-bundle.crt file what is said about 


it simply does not work. The only thing that works is setting the ENV



variable







set CURL_CA_BUNDLE=V:\bin\curl-ca-bundle.crt







Now, we had this in GMT recently and I used the nuke option







curl_easy_setopt (Curl, CURLOPT_SSL_VERIFYPEER, 0L); /* Tell libcurl to



not verify the peer */
so tried to do the same thing in the GDAL code (the obvious point seamed 


to be VSICurlSetOptions in cpl_vsi_curl.cpp) but still does not work.



Someone reported to me a similar issue with recent OSGeo4W.
Did you try setting GDAL_HTTP_UNSAFESSL=YES? This is taken into account in CPLHTTPSetOptions() that is called by VSICurlSetOptions(), >>and this set CURLOPT_SSL_VERIFYPEER=0 and CURLOPT_SSL_VERIFYHOST=0. 


This solved the issue.
Thanks, yes that works too (and, no I hadn't tried it before) although it's a different solution than setting CURL_CA_BUNDLE , which does not turn >out the certificates verification.
_______________________________________________
gdal-dev mailing list
gdal-dev@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/gdal-dev

Reply via email to