curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: php curl insecure connection option is skipped

From: surya chandrika via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 8 May 2019 10:02:10 +0530

Hi,

Disabling CURLOPT_SSL_VERIFYHOST worked. Yes as you said this is not
recommended.
But am not sure why certificate with correct hostname is not recognized
from uploaded certificate.
 I added certificate in path "/etc/pki/ca-trust/source/anchors/
In verbose mode it says it got 5 certificate

* found 171 certificates in /etc/pki/tls/certs/ca-bundle.crt
* *found 5 certificates in /etc/pki/ca-trust/source/anchors/*

*But throw error *SSL: certificate subject name (#1300) does not match
target host name 'abc.com

Any idea why certificate is not recognized

On Wed, May 8, 2019 at 12:59 AM Ray Satiro via curl-library <
curl-library_at_cool.haxx.se> wrote:

> On 5/7/2019 1:14 PM, surya chandrika via curl-library wrote:
>
> There a php script which tries to push data to?? destination host?? .
> Looks like after curl update in-secure option is not working.
> a self sign certificate with CN as the destination host was copied to
> /etc/pki/ca-trust/source/anchors/
> and ran update-ca-trust??
>
> the following option is also set in script
>
> ?? curl_setopt($this, CURLOPT_CAINFO,
> '/etc/pki/ca-trust/source/anchors/esn.crt');
> ?? ?? ?? ??
> curl_setopt($this->curl,CURLOPT_CAPATH,"/etc/pki/ca-trust/source/anchors/");
> ?? ?? ?? ?? curl_setopt($this->curl, CURLOPT_SSL_VERIFYPEER, false);
>
>
>
> * Connected to abc.com (11.111.111.11) port 8443 (#0)
> * found 171 certificates in /etc/pki/tls/certs/ca-bundle.crt
> * *found 5 certificates in /etc/pki/ca-trust/source/anchors/*
> * ALPN, offering http/1.1
> * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_CBC_SHA384
> *?? ?? ?? ?? server certificate verification SKIPPED
> *?? ?? ?? ?? server certificate status verification SKIPPED
> * SSL: certificate subject name (#1300) does not match target host name '
> abc.com?? '
> * Closing connection 0
>
>
> curl_version() output
> ?? [version_number] => 475136
> ?? ?? [age] => 4
> ?? ?? [features] => 2671261
> ?? ?? [ssl_version_number] => 0
> ?? ?? [version] => 7.64.0
> ?? ?? [host] => x86_64-pc-linux-gnu
> ?? ?? [ssl_version] => GnuTLS/3.3.8
> ?? ?? [libz_version] => 1.2.7
>
> -sh-4.2$ curl --version
> curl 7.64.0 (x86_64-pc-linux-gnu) libcurl/7.64.0 GnuTLS/3.3.8 zlib/1.2.7
>
>
> The name verification is controlled separately, you can use
> CURLOPT_SSL_VERIFYHOST [1] to disable it. However it's almost never right
> to disable certificate checking to work around errors since it's a security
> risk. The certificate the server gives you should be valid for the host.
>
>
> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
>
>
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-05-08