[horde] Free Busy URL and self signed SSL cert
Simon Wilson
simon at simonandkate.net
Tue Mar 20 08:49:02 UTC 2012
----- Message from Jan Schneider <jan at horde.org> ---------
Date: Tue, 20 Mar 2012 09:17:08 +0100
From: Jan Schneider <jan at horde.org>
Subject: Re: [horde] Free Busy URL and self signed SSL cert
To: horde at lists.horde.org
> Zitat von Ralf Lang <lang at b1-systems.de>:
>
>>> At least for me the link above downloads without any problems except
>>> that browser complains certificate is not valid. If you had installed CA
>>> into the browser you should be fine here. I don't believe that
>>> Kronolith uses SSL for Free Busy generation at all, so the error
>>> message must come from the browser.
>>>
>>> Maybe you are having cache issue? Try clearing temporary
>>> files on the
>>> browser.
I have cleared browser cache.
The PC trusts the CA - see http://www.simonandkate.net/img/trust.jpg
>>
>> I experience the same: Everything alright. No error, no cry.
>> SSL handling is transparent to kronolith code.
>
> It may depend on the Horde_Http_Client backend that's being used.
> This could be curl, http extension, or fopen(). They may handle
> certs and self-signed failures differently.
The error message when googled returns a LOT of curl links. The text
returned appears to be a Curl error.
This article looks very interesting:
http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/
From what he is saying:
"If $url points toward an HTTPS resource, you?re likely to encounter
an error like the one below:
Failed: Error Number: 60. Reason: SSL certificate problem, verify that
the CA cert is OK. Details: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
That is EXACTLY the error the error message that I am getting.
Back to the article:
"The problem is that cURL has not been configured to trust the
server?s HTTPS certificate. The concepts of certificates and PKI
revolves around the trust of Certificate Authorities (CAs), and by
default, cURL is setup to not trust any CAs, thus it won?t trust any
web server?s certificate."
Note his comment that by default, Curl is not set to trust ANY CAs.
>
>>>> Horde config $conf[openssl][cafile] is set to /etc/pki/tls/certs. The
>>>> explanatory text for that says: "The location of the root certificates
>>>> bundle, e.g. /etc/ssl/certs." Does this mean that Horde only checks
>>>> the CA-bundle file located in that folder and installed by the openssl
>>>> package, or does it parse that directory for all valid hashed certs?
>>>> If the latter, then this should verify without any problem...
>>>
>>> AFAIK this should be set to the CA certificate file, not the directory.
>>>
>> Really? Then we should change the explanation.
>
> No, a directory is fine, but this is only used explicitly in
> Horde_Crypt. Horde_Http_Client delegates HTTPS access to the
> underlying backend.
>
> Jan.
>
>
If you add me to your address book, place the following Free/Busy URL
in it - https://mail.simonandkate.net/kronolith/fb.php?u=simon - add
me to a meeting as an attendee, and you will see the error. You can
then even import the CA certificate -
http://www.simonandkate.net/img/cacert.crt - to your browser, to your
horde server, wherever you want... Try again. Still does it.
This does not seem right to me.... the curl issue posted above looks
remarkably like what I am having happen.
Simon.
More information about the horde
mailing list