curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: php curl insecure connection option is skipped

From: surya chandrika via curl-library <>
Date: Fri, 10 May 2019 18:27:27 +0530

I Ran the following

-sh-4.2$ HOST=<myhost>; echo | openssl s_client -servername $HOST -connect
$HOST:443 2>/dev/null | openssl x509 -noout -checkhost $HOST
unable to load certificate
139697300731712:error:0906D06C:PEM routines:PEM_read_bio:no start
line:crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE

I added a self signed certificate for this host. Could that be a reason?

On Wed, May 8, 2019 at 11:48 AM Ray Satiro via curl-library <> wrote:

> On 5/8/2019 12:32 AM, surya chandrika wrote:
> Disabling CURLOPT_SSL_VERIFYHOST worked. Yes as you said this is not
> recommended.
> But am not sure why certificate with correct hostname is not recognized
> from uploaded certificate.
> I added certificate in path "/etc/pki/ca-trust/source/anchors/
> In verbose mode it says it got 5 certificate
> * found 171 certificates in /etc/pki/tls/certs/ca-bundle.crt
> * *found 5 certificates in /etc/pki/ca-trust/source/anchors/*
> *But throw error *SSL: certificate subject name (#1300) does not match
> target host name '
> Any idea why certificate is not recognized
> If is a hostname in the certificate then you should not see that
> message. Check if OpenSSL gives different results:
> ( ; echo | openssl s_client -servername $HOST -connect
> $HOST:443 2>/dev/null | openssl x509 -noout -checkhost $HOST)
> Instead of -checkhost $HOST you can use -text to dump the certificate
> details. You should see the hostname in X509v3 Subject Alternative Name.
> -------------------------------------------------------------------
> Unsubscribe:
> Etiquette:

Received on 2019-05-10