curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder Daniel himself.

curl_easy_perform returns CURLE_PEER_FAILED_VERIFICATION following curl_easy_setopt(..., CURLOPT_VERIFYHOST, 0L) [libcurl 8.5.0; Ubuntu 24.04)

From: Bob Gezelter via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 13 Sep 2024 03:26:16 -0700

I will preface this with the fact that this is the first time I am using
libcurl https with a self-signed certificate in a network fully isolated
from the Internet. I may have missed something obvious.

The goal is to be able to use HTTPS in an isolated test environment with
a self-signed certificate. CURLOPT_SSL_VERIFYHOST seems to be the
appropriate setting.

The documentation on CURLOPT_SSL_VERIFYHOST states "When the verify
value is 0, the connection succeeds regardless of the names in the
certificate."

A reasonable interpretation of that phrase is that with
CURLOPT_SSL_VERIFYHOST set to 0, a self-signed certificate would be
accepted. This is an internal testing environment not permitting
connection to the Internet.

However, the simple test program:

#include <curl/curl.h>

int main(void)
     {
        CURLcode Results;
        char *Modifier;

        curl_version_info_data *curl_version;
        curl_version = curl_version_info(CURLVERSION_NOW);
        fprintf(stderr, "CURL Version: %s\n", curl_version->version);

        CURL *curl = curl_easy_init();
        if (curl) {
                Results = curl_easy_setopt(curl, CURLOPT_URL,
                    "https://localhost/xyz.html");
                Modifier = "CURL_SSL_VERIFYHOST";
                if ((Results = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST,
                    0L)) != CURLE_OK)
                    {
                        fprintf(stderr, "curl_easy_setopt(%s) failed. %s\n",
                            Modifier, curl_easy_strerror(Results));
                        }
                else {
                        fprintf(stderr, "curl_easy_perform(%s) worked.\n",
                            Modifier);
                        }
                if ((Results = curl_easy_perform(curl)) != CURLE_OK)
                    {
                        fprintf(stderr, "curl_easy_perform() failed. %s\n",
                            curl_easy_strerror(Results));
                        return 0;
                        }

                curl_easy_cleanup(curl);
                return Results;
                }
        }

Outputs:
CURL Version: 8.5.0
curl_easy_perform(CURL_SSL_VERIFYHOST) worked.
curl_easy_perform() failed. SSL peer certificate or SSH remote key was
not OK

For reference, the output of "curl --version" is:
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3
brotli/1.1.0 zstd/1.5.5 libidn2/2.3.7 libpsl/0.21.2 (+libidn2/2.3.7)
libssh/0.10.6/openssl/zlib nghttp2/1.59.0 librtmp/2.3 OpenLDAP/2.6.7
Release-Date: 2023-12-06, security patched: 8.5.0-2ubuntu10.3
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap
ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN
IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP
UnixSockets zstd




-- 
- Bob Gezelter, http://www.rlgsc.com
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2024-09-13