[horde] Free Busy URL and self signed SSL cert

Simon Wilson simon at simonandkate.net
Tue Mar 20 09:49:34 UTC 2012 

----- Message from Simon Wilson <simon at simonandkate.net> ---------
    Date: Tue, 20 Mar 2012 19:42:56 +1000
    From: Simon Wilson <simon at simonandkate.net>
Subject: Re: [horde] Free Busy URL and self signed SSL cert
      To: horde at lists.horde.org


> ----- Message from Vilius ?umskas <vilius at lnk.lt> ---------
>    Date: Tue, 20 Mar 2012 11:05:55 +0200
>    From: Vilius ?umskas <vilius at lnk.lt>
> Subject: Re: [horde] Free Busy URL and self signed SSL cert
>      To: horde at lists.horde.org
>
>
>>> Zitat von Ralf Lang <lang at b1-systems.de>:
>>>>
>>>>>> At  least  for me the link above downloads without any problems except
>>>>>> that  browser  complains  certificate is not valid. If you had  
>>>>>> installed CA
>>>>>> into  the  browser  you  should  be  fine  here.  I don't believe that
>>>>>> Kronolith  uses  SSL  for  Free  Busy  generation at all, so the error
>>>>>> message must come from the browser.
>>>>>>
>>>>>> Maybe  you  are  having  cache  issue?  Try  clearing temporary
>>>>>> files on the
>>>>>> browser.
>>>
>>> I have cleared browser cache.
>>>
>>> The PC trusts the CA - see http://www.simonandkate.net/img/trust.jpg
>>>
>>>>>
>>>>> I experience the same: Everything alright. No error, no cry.
>>>>> SSL handling is transparent to kronolith code.
>>>>
>>>> It may depend on the Horde_Http_Client backend that's being used.
>>>> This could be curl, http extension, or fopen(). They may handle
>>>> certs and self-signed failures differently.
>>>
>>> The error message when googled returns a LOT of curl links. The text
>>> returned appears to be a Curl error.
>>>
>>> This article looks very interesting:
>>>
>>> http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-
>>> ssltls-protected-sites/
>>>
>>> From what he is saying:
>>>
>>> "If $url points toward an HTTPS resource, you?re likely to encounter
>>> an error like the one below:
>>>
>>> Failed: Error Number: 60. Reason: SSL certificate problem, verify that
>>> the CA cert is OK. Details: error:14090086:SSL
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
>>>
>>> That is EXACTLY the error the error message that I am getting.
>>>
>>> Back to the article:
>>>
>>> "The problem is that cURL has not been configured to trust the
>>> server?s HTTPS certificate. The concepts of certificates and PKI
>>> revolves around the trust of Certificate Authorities (CAs), and by
>>> default, cURL is setup to not trust any CAs, thus it won?t trust any
>>> web server?s certificate."
>>>
>>> Note his comment that by default, Curl is not set to trust ANY CAs.
>>
>> Ahh, OK, so you get this message when using Free/Busy URL inline in  
>> Kronolith. Kronolith uses Horde_Http_Client for this. And from what  
>> we see on your system the library uses curl.
>>
>> According to http://www.php.net/manual/en/function.curl-setopt.php  
>> CURLOPT_SSL_VERIFYPEER is turned off by default since curl 7.10.
>>
>> You can try paching Horde/Http/Request/Curl.php for this. Or using  
>> HTTP PECL extension or fopen() instead and see if this fixes your  
>> problem.
>>
>> --
>>   Vilius
>>
>
> Bingo.
>
> Thank you guys. Patched Curl.php on the Horde server.
>
> --- Curl.php.old        2012-03-20 19:34:18.000000000 +1000
> +++ Curl.php    2012-03-20 19:35:39.000000000 +1000
> @@ -56,6 +56,7 @@
>          curl_setopt($curl, CURLOPT_URL, $this->uri);
>          curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
>          curl_setopt($curl, CURLOPT_HEADER, true);
> +        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
>          curl_setopt($curl, CURLOPT_CUSTOMREQUEST, $this->method);
>          curl_setopt($curl, CURLOPT_TIMEOUT, $this->timeout);
>
>
> This is probably not an ideal fix, as it just tells curl to not test  
> SSL certs at all I think (?) but it works for me in this situation.
>
> Curl on my server is 7.15, so yes, defaulting to TRUE.
>
> How would I use the PECL_HTTP extension? Is it just a case of  
> installing it and enabling in php.ini? Any benefits over what I have  
> done?
>
> Thanks again everyone for your help. Jan - should I log this as a  
> bug for further action?
>
> Simon.
>
>

I'm sure a better option would be to set CURLOPT_CAPATH =  
$conf[openssl][cafile] and leave CURLOPT_SSL_VERIFYPEER to true... but  
not confident of my ability to do that properly.

Simon.

More information about the horde mailing list