[horde] Free Busy URL and self signed SSL cert

Jan Schneider jan at horde.org
Tue Mar 20 09:08:04 UTC 2012 

Zitat von Simon Wilson <simon at simonandkate.net>:

> ----- Message from Jan Schneider <jan at horde.org> ---------
>    Date: Tue, 20 Mar 2012 09:17:08 +0100
>    From: Jan Schneider <jan at horde.org>
> Subject: Re: [horde] Free Busy URL and self signed SSL cert
>      To: horde at lists.horde.org
>
>> Zitat von Ralf Lang <lang at b1-systems.de>:
>>
>>>> At  least  for me the link above downloads without any problems except
>>>> that  browser  complains  certificate is not valid. If you had  
>>>> installed CA
>>>> into  the  browser  you  should  be  fine  here.  I don't believe that
>>>> Kronolith  uses  SSL  for  Free  Busy  generation at all, so the error
>>>> message must come from the browser.
>>>>
>>>> Maybe  you  are  having  cache  issue?  Try  clearing temporary  
>>>> files on the
>>>> browser.
>
> I have cleared browser cache.
>
> The PC trusts the CA - see http://www.simonandkate.net/img/trust.jpg
>
>>>
>>> I experience the same: Everything alright. No error, no cry.
>>> SSL handling is transparent to kronolith code.
>>
>> It may depend on the Horde_Http_Client backend that's being used.  
>> This could be curl, http extension, or fopen(). They may handle  
>> certs and self-signed failures differently.
>
> The error message when googled returns a LOT of curl links. The text  
> returned appears to be a Curl error.
>
> This article looks very interesting:
>
> http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/
>
> From what he is saying:
>
> "If $url points toward an HTTPS resource, you?re likely to encounter  
> an error like the one below:
>
> Failed: Error Number: 60. Reason: SSL certificate problem, verify  
> that the CA cert is OK. Details: error:14090086:SSL  
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
>
> That is EXACTLY the error the error message that I am getting.
>
> Back to the article:
>
> "The problem is that cURL has not been configured to trust the  
> server?s HTTPS certificate. The concepts of certificates and PKI  
> revolves around the trust of Certificate Authorities (CAs), and by  
> default, cURL is setup to not trust any CAs, thus it won?t trust any  
> web server?s certificate."
>
> Note his comment that by default, Curl is not set to trust ANY CAs.
>
>>
>>>>> Horde config $conf[openssl][cafile]  is set to /etc/pki/tls/certs. The
>>>>> explanatory text for that says: "The location of the root certificates
>>>>> bundle, e.g. /etc/ssl/certs." Does this mean that Horde only checks
>>>>> the CA-bundle file located in that folder and installed by the openssl
>>>>> package, or does it parse that directory for all valid hashed certs?
>>>>> If the latter, then this should verify without any problem...
>>>>
>>>> AFAIK this should be set to the CA certificate file, not the directory.
>>>>
>>> Really? Then we should change the explanation.
>>
>> No, a directory is fine, but this is only used explicitly in  
>> Horde_Crypt. Horde_Http_Client delegates HTTPS access to the  
>> underlying backend.
>>
>> Jan.
>>
>>
>
> If you add me to your address book, place the following Free/Busy  
> URL in it - https://mail.simonandkate.net/kronolith/fb.php?u=simon -  
> add me to a meeting as an attendee, and you will see the error. You  
> can then even import the CA certificate -  
> http://www.simonandkate.net/img/cacert.crt - to your browser, to  
> your horde server, wherever you want... Try again. Still does it.
>
> This does not seem right to me.... the curl issue posted above looks  
> remarkably like what I am having happen.

Indeed. To me it sounds like silly behavior of curl, if SSL_VERIFYPEAR  
defaults to true but CAINFO or CAPATH do not default to openssl's cert  
file resp. directory. IMO this should be handled transparently by  
curl/openssl. Or is your curl extension or library compiled against  
GnuTLS? I'm not even sure if this is possible.

Anyway, if curl cannot be convinced to use the installed certs  
automatically we may have to add options to Horde_Http to set SSL  
options. The http extension supports those too.

Jan.
-- 
The Horde Project
http://www.horde.org/

More information about the horde mailing list