cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: insecure (-k) requires "Common Name"

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 25 Aug 2003 05:44:43 +0200 (CEST)

On Sun, 24 Aug 2003, Daniel Stenberg wrote:

> > curl: (51) SSL: unable to obtain common name from peer certificate
>
> This happens because curl sets CURLOPT_SSL_VERIFYHOST to 1 when -k is used,
> not 0. Using 0 would prevent this failure I think.
>
> What do other people say, should we use 0 on -k?

[replying to myself!]

Nah, after thinking about this a bit more, I've come to this conclusion:

This is a libcurl bug. When CURLOPT_SSL_VERIFYHOST is set to 1, as the curl
tool sets it to, the library is supposed to only display a notice in case the
CN differs from the host name in use.

I consider this as an "OK" for a completely missing CN too, and I've now
modified libcurl slightly to output a warning for it (when
CURLOPT_SSL_VERIFYHOST is 1, it will still fail if set to 2 and nothing at all
will be said about it if set to 0).

Thanks for noticing and pointing this out!

-- 
 Daniel Stenberg -- curl: been grokking URLs since 1998
-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
Received on 2003-08-25