[horde] Free Busy URL and self signed SSL cert

Tue Mar 20 09:42:56 UTC 2012

----- Message from Vilius ?umskas <vilius at lnk.lt> ---------
    Date: Tue, 20 Mar 2012 11:05:55 +0200
    From: Vilius ?umskas <vilius at lnk.lt>
Subject: Re: [horde] Free Busy URL and self signed SSL cert
      To: horde at lists.horde.org


>> Zitat von Ralf Lang <lang at b1-systems.de>:
>> >
>> >>> At  least  for me the link above downloads without any problems except
>> >>> that  browser  complains  certificate is not valid. If you had  
>> installed CA
>> >>> into  the  browser  you  should  be  fine  here.  I don't believe that
>> >>> Kronolith  uses  SSL  for  Free  Busy  generation at all, so the error
>> >>> message must come from the browser.
>> >>>
>> >>> Maybe  you  are  having  cache  issue?  Try  clearing temporary
>> >>> files on the
>> >>> browser.
>>
>> I have cleared browser cache.
>>
>> The PC trusts the CA - see http://www.simonandkate.net/img/trust.jpg
>>
>> >>
>> >> I experience the same: Everything alright. No error, no cry.
>> >> SSL handling is transparent to kronolith code.
>> >
>> > It may depend on the Horde_Http_Client backend that's being used.
>> > This could be curl, http extension, or fopen(). They may handle
>> > certs and self-signed failures differently.
>>
>> The error message when googled returns a LOT of curl links. The text
>> returned appears to be a Curl error.
>>
>> This article looks very interesting:
>>
>> http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-
>> ssltls-protected-sites/
>>
>>  From what he is saying:
>>
>> "If $url points toward an HTTPS resource, you?re likely to encounter
>> an error like the one below:
>>
>> Failed: Error Number: 60. Reason: SSL certificate problem, verify that
>> the CA cert is OK. Details: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
>>
>> That is EXACTLY the error the error message that I am getting.
>>
>> Back to the article:
>>
>> "The problem is that cURL has not been configured to trust the
>> server?s HTTPS certificate. The concepts of certificates and PKI
>> revolves around the trust of Certificate Authorities (CAs), and by
>> default, cURL is setup to not trust any CAs, thus it won?t trust any
>> web server?s certificate."
>>
>> Note his comment that by default, Curl is not set to trust ANY CAs.
>
> Ahh, OK, so you get this message when using Free/Busy URL inline in  
> Kronolith. Kronolith uses Horde_Http_Client for this. And from what  
> we see on your system the library uses curl.
>
> According to http://www.php.net/manual/en/function.curl-setopt.php  
> CURLOPT_SSL_VERIFYPEER is turned off by default since curl 7.10.
>
> You can try paching Horde/Http/Request/Curl.php for this. Or using  
> HTTP PECL extension or fopen() instead and see if this fixes your  
> problem.
>
> --
>    Vilius
>

Bingo.

Thank you guys. Patched Curl.php on the Horde server.

--- Curl.php.old        2012-03-20 19:34:18.000000000 +1000
+++ Curl.php    2012-03-20 19:35:39.000000000 +1000
@@ -56,6 +56,7 @@
          curl_setopt($curl, CURLOPT_URL, $this->uri);
          curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
          curl_setopt($curl, CURLOPT_HEADER, true);
+        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
          curl_setopt($curl, CURLOPT_CUSTOMREQUEST, $this->method);
          curl_setopt($curl, CURLOPT_TIMEOUT, $this->timeout);


This is probably not an ideal fix, as it just tells curl to not test  
SSL certs at all I think (?) but it works for me in this situation.

Curl on my server is 7.15, so yes, defaulting to TRUE.

How would I use the PECL_HTTP extension? Is it just a case of  
installing it and enabling in php.ini? Any benefits over what I have  
done?

Thanks again everyone for your help. Jan - should I log this as a bug  
for further action?

Simon.



