Wednesday, December 22, 2010

Daily built binary packages for MapServer with OpenSSL support

SSL support has been added to the daily built binaries which provides the option to access a secure WMS/WFS server on Windows. Here are the key steps to configure this option in your Mapserver/Mapscript installation:

1. Configure the mapfile with one or more WMS/WFS client layer

This will require to configure a layer with 'CONNECTIONTYPE WMS' or 'CONNECTIONTYPE WFS' and set up your connection information according to the following fragment:

LAYER
    CONNECTION "https://www.secureservice.com/service?"
    CONNECTIONTYPE WMS
    METADATA
      "wms_srs"    "EPSG:4326"
      "wms_name"    "NAME"
      "wms_format"    "image/png"
      "wms_server_version"    "1.1.1"
      "wms_auth_username" "username"
      "wms_auth_password" "password"
  END
    TYPE RASTER
    ...
  END

2. Make sure to install all the required files in your deployment

For the SSL support you require to install libeay32.dll and ssleay32.dll along with libcurl.dll in the run-time configuration. Without having OpenSSL added to the builds you got the following error:

msHTTPExecuteRequests(): HTTP request error. HTTP: request failed with curl error code 1 (Protocol https not supported or disabled in libcurl)

3. Set up the cerificate bundle along with your installation.

In short it will require to set up the CURL_CA_BUNDLE environment variable to point to the location of the .crt file. You can find this file (curl-ca-bundle.crt) in the /bin/curl folder of the binary packages mentioned above. The file contains the most recent version of http://curl.haxx.se/ca/cacert.pem (at the time of the nightly build).

Note: CURL_CA_BUNDLE can be set up system wide (in My Computer->Properties), however you may prefer to apply this environment setting only for the process hosting the mapserver libraries so as not to cause side effects for other applications using libcurl and openSSL. The main issue here is that most of the libararies use getenv to retrieve the environment setting, which operates only on the data structures accessible to the run-time library (msvcrt) and not on the environment "segment" created for the process by the operating system. In this regard the libraries work only on a snapshot of the variables that have been set during the process startup. In this regard you may choose to set up the environment before the process has been started (by using a startup script) or use _putenv to set up the environment variable at run time. I will be trying to discuss this topic in more detail in a subsequent post.

You may check whether your WMS/WFS server is working with the standalone installation of curl.exe in the binary packages and open an SDK command prompt by using SDKShell.bat supported with the packages. In the command prompt you may use a valid url to your service, like:

 curl "https://username:password@www.secureservice.com/service?..."

At this point if you get valid data response you may omit the following step.

4. Extract the certificate entry from the server

In the previous step if you get the following error, your remote server probably use a self-signed SSL certificate and the server certificate is not included in your CA bundle file.

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

To get the remote server certificate you may use openssl.exe in the command prompt (also included in the daily buillt packages) according to the folowing example (you may probably use the default SSL port:443 in most cases):

  openssl s_client -connect www.secureservice.com:443

Copy all from "-----BEGIN CERTIFICATE-----" tag to "-----END CERTIFICATE-----" tag. Paste it at the end of the curl-ca-bundle.crt file, and repeat #3 to make sure the certificate data is now working.
Posted by at

25 comments:

  1. geographikaFebruary 17, 2015 at 10:26 AM

    When running MapServer on IIS (from your build packages), the CURL_CA_BUNDLE is always empty even if this is set in the Windows environment properties (tried Windows 7, Win Server 2008R2, and 6.4 builds for MSVCR 2008 and 2013).

    I tried setting the fastCgi environmentVariables but these are also not picked up. Could this be related to what you wrote - "most of the libraries use getenv..which operates only on the data structures accessible to the run-time library (msvcrt) and not on the environment "segment"

    There are more details at http://lists.osgeo.org/pipermail/mapserver-users/2015-February/077419.html

    Has anyone successfully used environmentVariables and FastCGI on Windows?

    ReplyDelete
    Replies
    1. JohnMay 11, 2021 at 10:41 AM

      دانلود آهنگ جدید

      Delete
    2. Reem SultanFebruary 16, 2023 at 12:21 PM

      Responsive and the most reflective topic it is, but also get involve in the most desiring dissertation writing help to get the most effective Thesis easily in all over the UAE.

      Delete
  2. Kevin CromerJune 23, 2017 at 3:08 PM

    Brilliant content is sometimes impossible to find! To protect you Galaxy Note 8 phone, you can use Samsung Galaxy Note 8 Cases.

    ReplyDelete
  3. Justin BaiberNovember 19, 2018 at 12:58 PM

    It is a fantastic post – immense clear and easy to understand. I am also holding out for the sharks too that made me laugh. BinaryStrategy

    ReplyDelete
  4. Alex CharlesJune 24, 2019 at 10:25 AM

    It is a great website.. The Design looks very good.. Keep working like that!. recover money lost to binary options

    ReplyDelete
  5. Super Bowl Live StreamJanuary 16, 2020 at 5:50 PM

    It is even a good way for the fan to enjoy the Super Bowl 2020 Live Stream game even if you do not wish to opt for any contract cable. Not only Super Bowl live, but you can also enjoy the different sporting events on the television. You simply need a good connection along with the Sling Blue Package.

    ReplyDelete
  6. neha solankiOctober 28, 2020 at 9:17 AM

    skin care products for men,

    ReplyDelete
  7. neha solankiOctober 31, 2020 at 11:25 AM

    solar PV system

    ReplyDelete
  8. BN AdminFebruary 21, 2021 at 11:08 AM

    Ingatlah ini dalam pikiran Anda saat merancang keputusan ini pasti terakhir. Kartu slot online terbaru debit hanyalah kartu yang akan diterbitkan oleh bank yang memungkinkan situs slot online siapa pun untuk mengelola dana dan memasukkannya ke banyak catatan lain secara elektronik. Mengenai debit akses situs slot online yang prabayar sebenarnya fungsinya sama.

    ReplyDelete
  9. joyalexMay 15, 2021 at 3:03 PM

    QuickBooks is the accounting tool and there is other tool quicken and the difference is the quicken is small hand made accounting tool as quickbooks is hardcore bug accounting tool in comparison of quicken mileage tracker

    ReplyDelete
  10. Benjamin JonesJuly 28, 2021 at 1:36 PM

    We have actual scenarios that cause your purpose to double or treble. An escort maidservant is your partner for every action you want to do with them, similar to the Escorts Service in Chanakyapuri do. For your convenience, Eager for any of this young lady’s room, then you will be meeting with an independent, and clever young Escorts Service in Chanakyapuri committed to suit you an incredible social and suggestive experienceThe availability of Top Escorts Service in Chanakyapuri and other forms of Escorts, such as those associated with VIPs, makes it a popular choice amongst those who cannot afford their companion. Escorts Service in Chanakyapuri For Booking of Escorts Service in Chanakyapuri Delhi. Each and every detail that I have narrated here about my bodily assets is fully authentic and reliable We attempt the best Prostitutes in Chanakyapuri to be capable it give you the best assistance from our Escorts Service in Chanakyapuri. We have each sort of the young lady that can give you harmony and body love when you will invest enough energy with that young lady. But at the end of the day, human behavior is unpredictable and often goes against the tenets of probity and established norms. In this article, we will be delving a bit deep into the world of Escorts Service in Chanakyapuri

    ReplyDelete
  11. William WoodruffJanuary 24, 2022 at 7:12 AM

    Whenever I try to configure the SSL on my router, it always shows me apache configuration error AH02572. What does it exactly mean, and how can I fix it forever? Assignment Writing Service

    ReplyDelete
  12. Online Duplicate BillsFebruary 10, 2022 at 11:36 AM

    jumble helper online is the best tools for getting online technical tools

    ReplyDelete
  13. Online Duplicate BillsFebruary 10, 2022 at 11:36 AM

    Mynordstrom employees portal provide a variety of options for their employees self-service. They are simple and easy to manage and can be used instead of unnecessary paperwork. Portal is increasing day by day, becoming central to business transactions.

    ReplyDelete
  14. Online Duplicate BillsFebruary 10, 2022 at 11:37 AM

    it is the first and foremost duty of parents to select a meaningful and beautiful name for the baby. Moreover, parents are not selecting common names for the babies but find unique names for them using various name combiner for baby.

    ReplyDelete
  15. Alex JohnFebruary 21, 2022 at 10:18 AM

    Thank you for sharing such a nice and informative article with us. It was very interesting. Although this topic is usually interesting, your interesting writing makes it even more interesting. Thanks again for what you’ve done. medikush.

    ReplyDelete
  16. Confidus SolutionsFebruary 21, 2022 at 1:23 PM

    Business structure of the company
    Before starting a business or even choosing a jurisdiction, you need to plan a corporate structure for your business and based on that determine the purpose of the business you wish to start. It is important to understand the business structure of your company as this will determine the jurisdiction and type of company you choose to best meet your needs.
    A company’s business structure is its primary function within the wider corporate structure of your business. On this basis, we can identify the following company types:

    Trading company
    Online trading company
    Holding company
    Foundation
    Trust

    http://www.confiduss.com/en/services/incorporation/purpose/

    ReplyDelete
  17. UnknownMarch 16, 2022 at 11:08 AM

    First of all, thank you for letting me see this information. I think this article can give me a lot of inspiration. I would appreciate 바카라사이트 if you could post more good contents in the future.

    ReplyDelete
  18. YoWAPlusApril 4, 2022 at 5:58 AM

    Thanks for sharing these. If you want to know more about it you can go to whatsapp social network. Download fm whatsapp on https://yowaplus.net/fm-whatsapp.html to be safe. I tried it and it's great.

    ReplyDelete
  19. EthanWilliamApril 2, 2023 at 6:54 PM

    If you get the following issue during the previous stage, your remote server is most likely using a self-signed SSL certificate, Best Accounting Firms In Dubai and your CA bundle file does not contain the server certificate.

    ReplyDelete
  20. preethiApril 4, 2023 at 3:30 PM

    Thanks for sharing beautiful content. I got information from your blog. keep sharing
    Indian Divorce Lawyers New Jersey

    ReplyDelete
  21. smithsApril 19, 2023 at 6:52 AM

    thank you for posting such article here. BenefitsCal

    ReplyDelete
  22. esmd3568May 8, 2023 at 8:54 AM

    Still getting same error message. MyAllSaversConnect

    ReplyDelete
  23. PreslinMay 12, 2023 at 5:02 AM

    Excellent tech post to read. Really worthy of reading technical blogs like this. You are too good to teach technical information. Keep updating us by sharing more technical blogs. Divorce Lawyers Loudoun VA

    ReplyDelete

Subscribe to: Post Comments (Atom)