Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: php curl insecure connection option is skipped

From: surya chandrika via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 8 May 2019 10:02:10 +0530

Hi,

Disabling CURLOPT_SSL_VERIFYHOST worked. Yes as you said this is not
recommended.
But am not sure why certificate with correct hostname is not recognized
from uploaded certificate.
 I added certificate in path "/etc/pki/ca-trust/source/anchors/
In verbose mode it says it got 5 certificate

* found 171 certificates in /etc/pki/tls/certs/ca-bundle.crt
* *found 5 certificates in /etc/pki/ca-trust/source/anchors/*

*But throw error *SSL: certificate subject name (#1300) does not match
target host name 'abc.com

Any idea why certificate is not recognized

On Wed, May 8, 2019 at 12:59 AM Ray Satiro via curl-library <
curl-library_at_cool.haxx.se> wrote:

> On 5/7/2019 1:14 PM, surya chandrika via curl-library wrote:
>
> There a php script which tries to push data to?? destination host?? .
> Looks like after curl update in-secure option is not working.
> a self sign certificate with CN as the destination host was copied to
> /etc/pki/ca-trust/source/anchors/
> and ran update-ca-trust??
>
> the following option is also set in script
>
> ?? curl_setopt($this, CURLOPT_CAINFO,
> '/etc/pki/ca-trust/source/anchors/esn.crt');
> ?? ?? ?? ??
> curl_setopt($this->curl,CURLOPT_CAPATH,"/etc/pki/ca-trust/source/anchors/");
> ?? ?? ?? ?? curl_setopt($this->curl, CURLOPT_SSL_VERIFYPEER, false);
>
>
>
> * Connected to abc.com (11.111.111.11) port 8443 (#0)
> * found 171 certificates in /etc/pki/tls/certs/ca-bundle.crt
> * *found 5 certificates in /etc/pki/ca-trust/source/anchors/*
> * ALPN, offering http/1.1
> * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_CBC_SHA384
> *?? ?? ?? ?? server certificate verification SKIPPED
> *?? ?? ?? ?? server certificate status verification SKIPPED
> * SSL: certificate subject name (#1300) does not match target host name '
> abc.com?? '
> * Closing connection 0
>
>
> curl_version() output
> ?? [version_number] => 475136
> ?? ?? [age] => 4
> ?? ?? [features] => 2671261
> ?? ?? [ssl_version_number] => 0
> ?? ?? [version] => 7.64.0
> ?? ?? [host] => x86_64-pc-linux-gnu
> ?? ?? [ssl_version] => GnuTLS/3.3.8
> ?? ?? [libz_version] => 1.2.7
>
> -sh-4.2$ curl --version
> curl 7.64.0 (x86_64-pc-linux-gnu) libcurl/7.64.0 GnuTLS/3.3.8 zlib/1.2.7
>
>
> The name verification is controlled separately, you can use
> CURLOPT_SSL_VERIFYHOST [1] to disable it. However it's almost never right
> to disable certificate checking to work around errors since it's a security
> risk. The certificate the server gives you should be valid for the host.
>
>
> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
>
>
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-05-08