[horde] Free Busy URL and self signed SSL cert

Vilius Šumskas vilius at lnk.lt
Tue Mar 20 09:05:55 UTC 2012


> Zitat von Ralf Lang <lang at b1-systems.de>:
> >
> >>> At  least  for me the link above downloads without any problems except
> >>> that  browser  complains  certificate is not valid. If you had installed CA
> >>> into  the  browser  you  should  be  fine  here.  I don't believe that
> >>> Kronolith  uses  SSL  for  Free  Busy  generation at all, so the error
> >>> message must come from the browser.
> >>>
> >>> Maybe  you  are  having  cache  issue?  Try  clearing temporary
> >>> files on the
> >>> browser.
> 
> I have cleared browser cache.
> 
> The PC trusts the CA - see http://www.simonandkate.net/img/trust.jpg
> 
> >>
> >> I experience the same: Everything alright. No error, no cry.
> >> SSL handling is transparent to kronolith code.
> >
> > It may depend on the Horde_Http_Client backend that's being used.
> > This could be curl, http extension, or fopen(). They may handle
> > certs and self-signed failures differently.
> 
> The error message when googled returns a LOT of curl links. The text
> returned appears to be a Curl error.
> 
> This article looks very interesting:
> 
> http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-
> ssltls-protected-sites/
> 
>  From what he is saying:
> 
> "If $url points toward an HTTPS resource, you?re likely to encounter
> an error like the one below:
> 
> Failed: Error Number: 60. Reason: SSL certificate problem, verify that
> the CA cert is OK. Details: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
> 
> That is EXACTLY the error the error message that I am getting.
> 
> Back to the article:
> 
> "The problem is that cURL has not been configured to trust the
> server?s HTTPS certificate. The concepts of certificates and PKI
> revolves around the trust of Certificate Authorities (CAs), and by
> default, cURL is setup to not trust any CAs, thus it won?t trust any
> web server?s certificate."
> 
> Note his comment that by default, Curl is not set to trust ANY CAs.

Ahh, OK, so you get this message when using Free/Busy URL inline in Kronolith. Kronolith uses Horde_Http_Client for this. And from what we see on your system the library uses curl.

According to http://www.php.net/manual/en/function.curl-setopt.php CURLOPT_SSL_VERIFYPEER is turned off by default since curl 7.10.

You can try paching Horde/Http/Request/Curl.php for this. Or using HTTP PECL extension or fopen() instead and see if this fixes your problem.

-- 
   Vilius



More information about the horde mailing list