Wednesday, December 22, 2010

Daily built binary packages for MapServer with OpenSSL support

SSL support has been added to the daily built binaries which provides the option to access a secure WMS/WFS server on Windows. Here are the key steps to configure this option in your Mapserver/Mapscript installation:

1. Configure the mapfile with one or more WMS/WFS client layer

This will require to configure a layer with 'CONNECTIONTYPE WMS' or 'CONNECTIONTYPE WFS' and set up your connection information according to the following fragment:

LAYER
    CONNECTION "https://www.secureservice.com/service?"
    CONNECTIONTYPE WMS
    METADATA
      "wms_srs"    "EPSG:4326"
      "wms_name"    "NAME"
      "wms_format"    "image/png"
      "wms_server_version"    "1.1.1"
      "wms_auth_username" "username"
      "wms_auth_password" "password"
  END
    TYPE RASTER
    ...
  END


2. Make sure to install all the required files in your deployment

For the SSL support you require to install libeay32.dll and ssleay32.dll along with libcurl.dll in the run-time configuration. Without having OpenSSL added to the builds you got the following error:

msHTTPExecuteRequests(): HTTP request error. HTTP: request failed with curl error code 1 (Protocol https not supported or disabled in libcurl)

3. Set up the cerificate bundle along with your installation.

In short it will require to set up the CURL_CA_BUNDLE environment variable to point to the location of the .crt file. You can find this file (curl-ca-bundle.crt) in the /bin/curl folder of the binary packages mentioned above. The file contains the most recent version of http://curl.haxx.se/ca/cacert.pem (at the time of the nightly build).

Note: CURL_CA_BUNDLE can be set up system wide (in My Computer->Properties), however you may prefer to apply this environment setting only for the process hosting the mapserver libraries so as not to cause side effects for other applications using libcurl and openSSL. The main issue here is that most of the libararies use getenv to retrieve the environment setting, which operates only on the data structures accessible to the run-time library (msvcrt) and not on the environment "segment" created for the process by the operating system. In this regard the libraries work only on a snapshot of the variables that have been set during the process startup. In this regard you may choose to set up the environment before the process has been started (by using a startup script) or use _putenv to set up the environment variable at run time. I will be trying to discuss this topic in more detail in a subsequent post.

You may check whether your WMS/WFS server is working with the standalone installation of curl.exe in the binary packages and open an SDK command prompt by using SDKShell.bat supported with the packages. In the command prompt you may use a valid url to your service, like:

 curl "https://username:password@www.secureservice.com/service?..."

At this point if you get valid data response you may omit the following step.

4. Extract the certificate entry from the server

In the previous step if you get the following error, your remote server probably use a self-signed SSL certificate and the server certificate is not included in your CA bundle file.

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


To get the remote server certificate you may use openssl.exe in the command prompt (also included in the daily buillt packages) according to the folowing example (you may probably use the default SSL port:443 in most cases):

  openssl s_client -connect www.secureservice.com:443

Copy all from "-----BEGIN CERTIFICATE-----" tag to "-----END CERTIFICATE-----" tag. Paste it at the end of the curl-ca-bundle.crt file, and repeat #3 to make sure the certificate data is now working.