[osgeo4w] #474: Outdated CA Certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[osgeo4w] #474: Outdated CA Certificates

OSGeo4W
#474: Outdated CA Certificates
-------------------+---------------------------
Reporter:  maphew  |      Owner:  osgeo4w-dev@…
    Type:  defect  |     Status:  new
Priority:  major   |  Component:  Package
 Version:          |   Keywords:  curl, openssl
-------------------+---------------------------
 I believe either [wiki:pkg-curl], or more likely [wiki:pkg-openssl] have
 outdated CA Certificates, because downloading new certificates and
 pointing curl at them resolves `error:14090086:SSL
 routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed`

 Demonstrate error:
 {{{
 C:\OSGeo4W>curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py

 curl: (60) SSL certificate problem, verify that the CA cert is OK.
 Details:
 error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
 failed
 More details here: http://curl.haxx.se/docs/sslcerts.html

 curl performs SSL certificate verification by default, using a "bundle"
  of Certificate Authority (CA) public keys (CA certs). The default
  bundle is named curl-ca-bundle.crt; you can specify an alternate file
  using the --cacert option.
 If this HTTPS server uses a certificate signed by a CA represented in
  the bundle, the certificate verification probably failed due to a
  problem with the certificate (it might be expired, or the name might
  not match the domain name in the URL).
 If you'd like to turn off curl's verification of the certificate, use
  the -k (or --insecure) option.
 }}}

 Demonstrate workaround:
 {{{
 C:\OSGeo4W>curl http://curl.haxx.se/ca/cacert.pem -o ca-bundle.crt
   % Total    % Received % Xferd  Average Speed   Time    Time     Time
 Current
                                  Dload  Upload   Total   Spent    Left
 Speed
 100  250k  100  250k    0     0   178k      0  0:00:01  0:00:01 --:--:--
 255k

 C:\OSGeo4W>curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
 --cacert ca-bundle.crt
   % Total    % Received % Xferd  Average Speed   Time    Time     Time
 Current
                                  Dload  Upload   Total   Spent    Left
 Speed
 100 1379k  100 1379k    0     0   319k      0  0:00:04  0:00:04 --:--:--
 701k
 }}}

 I'm not sure what the appropriate is folder to put the updated `ca-
 bandle.crt` in so the problem is fixed permanently. There is
 `C:\OSGeo4W\apps\Qt4\certs` but something like `etc/pki/tls...` or
 `apps/openssl` looks more "system" and not qt-app specific.



 Sources:

  - http://stackoverflow.com/a/30728558/14420

--
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/474>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.
_______________________________________________
osgeo4w-dev mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/osgeo4w-dev
Reply | Threaded
Open this post in threaded view
|

Re: [osgeo4w] #474: Outdated CA Certificates

OSGeo4W
#474: Outdated CA Certificates
--------------------------+----------------------------
Reporter:  maphew         |       Owner:  osgeo4w-dev@…
    Type:  defect         |      Status:  closed
Priority:  major          |   Component:  Package
 Version:                 |  Resolution:  fixed
Keywords:  curl, openssl  |
--------------------------+----------------------------
Changes (by jef):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 pip is now packaged as python-pip

--
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/474#comment:1>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.
_______________________________________________
osgeo4w-dev mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/osgeo4w-dev
Reply | Threaded
Open this post in threaded view
|

Re: [osgeo4w] #474: Outdated CA Certificates

OSGeo4W
In reply to this post by OSGeo4W
#474: Outdated CA Certificates
--------------------------+----------------------------
Reporter:  maphew         |       Owner:  osgeo4w-dev@…
    Type:  defect         |      Status:  closed
Priority:  major          |   Component:  Package
 Version:                 |  Resolution:  fixed
Keywords:  curl, openssl  |
--------------------------+----------------------------

Comment (by rzoller):

 It seems that there are still issues with this, since the issue mentioned
 here with pip was only a symptom of outdated CA certificates, and it looks
 like the certificates haven't actually been updated.

 As suggested in [[http://osgeo-org.1560.x6.nabble.com/gdal-dev-libcurl-
 and-the-certificates-and-Windows-tp5322919p5323113.html|this recent gdal-
 dev thread]], probably the best solution would be to build libcurl with
 SChannel support instead of OpenSSL.

 Btw, is osgeo4w still being actively developed? The only
 [[https://trac.osgeo.org/osgeo4w/browser|source code I found]] has its
 last commit 17 months ago...

--
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/474#comment:2>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.

_______________________________________________
osgeo4w-dev mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/osgeo4w-dev
Reply | Threaded
Open this post in threaded view
|

Re: [osgeo4w] #474: Outdated CA Certificates

OSGeo4W
In reply to this post by OSGeo4W
#474: Outdated CA Certificates
--------------------------+----------------------------
Reporter:  maphew         |       Owner:  osgeo4w-dev@…
    Type:  defect         |      Status:  closed
Priority:  major          |   Component:  Package
 Version:                 |  Resolution:  fixed
Keywords:  curl, openssl  |
--------------------------+----------------------------

Comment (by jef):

 The installer works - no need to change it - so so need to touch the svn.
 The work is maintaining the packages.

--
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/474#comment:3>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.

_______________________________________________
osgeo4w-dev mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/osgeo4w-dev
Reply | Threaded
Open this post in threaded view
|

Re: [osgeo4w] #474: Outdated CA Certificates

OSGeo4W
In reply to this post by OSGeo4W
#474: Outdated CA Certificates
--------------------------+----------------------------
Reporter:  maphew         |       Owner:  osgeo4w-dev@…
    Type:  defect         |      Status:  closed
Priority:  major          |   Component:  Package
 Version:                 |  Resolution:  fixed
Keywords:  curl, openssl  |
--------------------------+----------------------------

Comment (by rzoller):

 Wow, thanks for the quick reply!
 Do you happen to know where I would find the source code for pkg-curl?

--
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/474#comment:4>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.

_______________________________________________
osgeo4w-dev mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/osgeo4w-dev
Reply | Threaded
Open this post in threaded view
|

Re: [osgeo4w] #474: Outdated CA Certificates

OSGeo4W
In reply to this post by OSGeo4W
#474: Outdated CA Certificates
--------------------------+----------------------------
Reporter:  maphew         |       Owner:  osgeo4w-dev@…
    Type:  defect         |      Status:  closed
Priority:  major          |   Component:  Package
 Version:                 |  Resolution:  fixed
Keywords:  curl, openssl  |
--------------------------+----------------------------

Comment (by jef):

 http://download.osgeo.org/osgeo4w/x86/release/curl/ &
 http://download.osgeo.org/osgeo4w/x86_64/release/curl/

--
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/474#comment:5>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.

_______________________________________________
osgeo4w-dev mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/osgeo4w-dev