[horde] Free Busy URL and self signed SSL cert

Simon Wilson simon at simonandkate.net
Tue Mar 20 08:49:02 UTC 2012 

----- Message from Jan Schneider <jan at horde.org> ---------
    Date: Tue, 20 Mar 2012 09:17:08 +0100
    From: Jan Schneider <jan at horde.org>
Subject: Re: [horde] Free Busy URL and self signed SSL cert
      To: horde at lists.horde.org

> Zitat von Ralf Lang <lang at b1-systems.de>:
>
>>> At  least  for me the link above downloads without any problems except
>>> that  browser  complains  certificate is not valid. If you had installed CA
>>> into  the  browser  you  should  be  fine  here.  I don't believe that
>>> Kronolith  uses  SSL  for  Free  Busy  generation at all, so the error
>>> message must come from the browser.
>>>
>>> Maybe  you  are  having  cache  issue?  Try  clearing temporary  
>>> files on the
>>> browser.

I have cleared browser cache.

The PC trusts the CA - see http://www.simonandkate.net/img/trust.jpg

>>
>> I experience the same: Everything alright. No error, no cry.
>> SSL handling is transparent to kronolith code.
>
> It may depend on the Horde_Http_Client backend that's being used.  
> This could be curl, http extension, or fopen(). They may handle  
> certs and self-signed failures differently.

The error message when googled returns a LOT of curl links. The text  
returned appears to be a Curl error.

This article looks very interesting:

http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/

 From what he is saying:

"If $url points toward an HTTPS resource, you?re likely to encounter  
an error like the one below:

Failed: Error Number: 60. Reason: SSL certificate problem, verify that  
the CA cert is OK. Details: error:14090086:SSL  
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

That is EXACTLY the error the error message that I am getting.

Back to the article:

"The problem is that cURL has not been configured to trust the  
server?s HTTPS certificate. The concepts of certificates and PKI  
revolves around the trust of Certificate Authorities (CAs), and by  
default, cURL is setup to not trust any CAs, thus it won?t trust any  
web server?s certificate."

Note his comment that by default, Curl is not set to trust ANY CAs.

>
>>>> Horde config $conf[openssl][cafile]  is set to /etc/pki/tls/certs. The
>>>> explanatory text for that says: "The location of the root certificates
>>>> bundle, e.g. /etc/ssl/certs." Does this mean that Horde only checks
>>>> the CA-bundle file located in that folder and installed by the openssl
>>>> package, or does it parse that directory for all valid hashed certs?
>>>> If the latter, then this should verify without any problem...
>>>
>>> AFAIK this should be set to the CA certificate file, not the directory.
>>>
>> Really? Then we should change the explanation.
>
> No, a directory is fine, but this is only used explicitly in  
> Horde_Crypt. Horde_Http_Client delegates HTTPS access to the  
> underlying backend.
>
> Jan.
>
>

If you add me to your address book, place the following Free/Busy URL  
in it - https://mail.simonandkate.net/kronolith/fb.php?u=simon - add  
me to a meeting as an attendee, and you will see the error. You can  
then even import the CA certificate -  
http://www.simonandkate.net/img/cacert.crt - to your browser, to your  
horde server, wherever you want... Try again. Still does it.

This does not seem right to me.... the curl issue posted above looks  
remarkably like what I am having happen.

Simon.

More information about the horde mailing list