[horde] Free Busy URL and self signed SSL cert
Vilius Šumskas
vilius at lnk.lt
Tue Mar 20 09:05:55 UTC 2012
> Zitat von Ralf Lang <lang at b1-systems.de>:
> >
> >>> At least for me the link above downloads without any problems except
> >>> that browser complains certificate is not valid. If you had installed CA
> >>> into the browser you should be fine here. I don't believe that
> >>> Kronolith uses SSL for Free Busy generation at all, so the error
> >>> message must come from the browser.
> >>>
> >>> Maybe you are having cache issue? Try clearing temporary
> >>> files on the
> >>> browser.
>
> I have cleared browser cache.
>
> The PC trusts the CA - see http://www.simonandkate.net/img/trust.jpg
>
> >>
> >> I experience the same: Everything alright. No error, no cry.
> >> SSL handling is transparent to kronolith code.
> >
> > It may depend on the Horde_Http_Client backend that's being used.
> > This could be curl, http extension, or fopen(). They may handle
> > certs and self-signed failures differently.
>
> The error message when googled returns a LOT of curl links. The text
> returned appears to be a Curl error.
>
> This article looks very interesting:
>
> http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-
> ssltls-protected-sites/
>
> From what he is saying:
>
> "If $url points toward an HTTPS resource, you?re likely to encounter
> an error like the one below:
>
> Failed: Error Number: 60. Reason: SSL certificate problem, verify that
> the CA cert is OK. Details: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
>
> That is EXACTLY the error the error message that I am getting.
>
> Back to the article:
>
> "The problem is that cURL has not been configured to trust the
> server?s HTTPS certificate. The concepts of certificates and PKI
> revolves around the trust of Certificate Authorities (CAs), and by
> default, cURL is setup to not trust any CAs, thus it won?t trust any
> web server?s certificate."
>
> Note his comment that by default, Curl is not set to trust ANY CAs.
Ahh, OK, so you get this message when using Free/Busy URL inline in Kronolith. Kronolith uses Horde_Http_Client for this. And from what we see on your system the library uses curl.
According to http://www.php.net/manual/en/function.curl-setopt.php CURLOPT_SSL_VERIFYPEER is turned off by default since curl 7.10.
You can try paching Horde/Http/Request/Curl.php for this. Or using HTTP PECL extension or fopen() instead and see if this fixes your problem.
--
Vilius
More information about the horde
mailing list