Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
curl_easy_perform returns CURLE_PEER_FAILED_VERIFICATION following curl_easy_setopt(..., CURLOPT_VERIFYHOST, 0L) [libcurl 8.5.0; Ubuntu 24.04)
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Bob Gezelter via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 13 Sep 2024 03:26:16 -0700
I will preface this with the fact that this is the first time I am using
libcurl https with a self-signed certificate in a network fully isolated
from the Internet. I may have missed something obvious.
The goal is to be able to use HTTPS in an isolated test environment with
a self-signed certificate. CURLOPT_SSL_VERIFYHOST seems to be the
appropriate setting.
The documentation on CURLOPT_SSL_VERIFYHOST states "When the verify
value is 0, the connection succeeds regardless of the names in the
certificate."
A reasonable interpretation of that phrase is that with
CURLOPT_SSL_VERIFYHOST set to 0, a self-signed certificate would be
accepted. This is an internal testing environment not permitting
connection to the Internet.
However, the simple test program:
#include <curl/curl.h>
int main(void)
{
CURLcode Results;
char *Modifier;
curl_version_info_data *curl_version;
curl_version = curl_version_info(CURLVERSION_NOW);
fprintf(stderr, "CURL Version: %s\n", curl_version->version);
CURL *curl = curl_easy_init();
if (curl) {
Results = curl_easy_setopt(curl, CURLOPT_URL,
"https://localhost/xyz.html");
Modifier = "CURL_SSL_VERIFYHOST";
if ((Results = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST,
0L)) != CURLE_OK)
{
fprintf(stderr, "curl_easy_setopt(%s) failed. %s\n",
Modifier, curl_easy_strerror(Results));
}
else {
fprintf(stderr, "curl_easy_perform(%s) worked.\n",
Modifier);
}
if ((Results = curl_easy_perform(curl)) != CURLE_OK)
{
fprintf(stderr, "curl_easy_perform() failed. %s\n",
curl_easy_strerror(Results));
return 0;
}
curl_easy_cleanup(curl);
return Results;
}
}
Outputs:
CURL Version: 8.5.0
curl_easy_perform(CURL_SSL_VERIFYHOST) worked.
curl_easy_perform() failed. SSL peer certificate or SSH remote key was
not OK
For reference, the output of "curl --version" is:
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3
brotli/1.1.0 zstd/1.5.5 libidn2/2.3.7 libpsl/0.21.2 (+libidn2/2.3.7)
libssh/0.10.6/openssl/zlib nghttp2/1.59.0 librtmp/2.3 OpenLDAP/2.6.7
Release-Date: 2023-12-06, security patched: 8.5.0-2ubuntu10.3
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap
ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN
IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP
UnixSockets zstd
Date: Fri, 13 Sep 2024 03:26:16 -0700
I will preface this with the fact that this is the first time I am using
libcurl https with a self-signed certificate in a network fully isolated
from the Internet. I may have missed something obvious.
The goal is to be able to use HTTPS in an isolated test environment with
a self-signed certificate. CURLOPT_SSL_VERIFYHOST seems to be the
appropriate setting.
The documentation on CURLOPT_SSL_VERIFYHOST states "When the verify
value is 0, the connection succeeds regardless of the names in the
certificate."
A reasonable interpretation of that phrase is that with
CURLOPT_SSL_VERIFYHOST set to 0, a self-signed certificate would be
accepted. This is an internal testing environment not permitting
connection to the Internet.
However, the simple test program:
#include <curl/curl.h>
int main(void)
{
CURLcode Results;
char *Modifier;
curl_version_info_data *curl_version;
curl_version = curl_version_info(CURLVERSION_NOW);
fprintf(stderr, "CURL Version: %s\n", curl_version->version);
CURL *curl = curl_easy_init();
if (curl) {
Results = curl_easy_setopt(curl, CURLOPT_URL,
"https://localhost/xyz.html");
Modifier = "CURL_SSL_VERIFYHOST";
if ((Results = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST,
0L)) != CURLE_OK)
{
fprintf(stderr, "curl_easy_setopt(%s) failed. %s\n",
Modifier, curl_easy_strerror(Results));
}
else {
fprintf(stderr, "curl_easy_perform(%s) worked.\n",
Modifier);
}
if ((Results = curl_easy_perform(curl)) != CURLE_OK)
{
fprintf(stderr, "curl_easy_perform() failed. %s\n",
curl_easy_strerror(Results));
return 0;
}
curl_easy_cleanup(curl);
return Results;
}
}
Outputs:
CURL Version: 8.5.0
curl_easy_perform(CURL_SSL_VERIFYHOST) worked.
curl_easy_perform() failed. SSL peer certificate or SSH remote key was
not OK
For reference, the output of "curl --version" is:
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3
brotli/1.1.0 zstd/1.5.5 libidn2/2.3.7 libpsl/0.21.2 (+libidn2/2.3.7)
libssh/0.10.6/openssl/zlib nghttp2/1.59.0 librtmp/2.3 OpenLDAP/2.6.7
Release-Date: 2023-12-06, security patched: 8.5.0-2ubuntu10.3
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap
ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN
IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP
UnixSockets zstd
-- - Bob Gezelter, http://www.rlgsc.com -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-09-13