Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: curl_easy_perform returns CURLE_PEER_FAILED_VERIFICATION following curl_easy_setopt(..., CURLOPT_VERIFYHOST, 0L) [libcurl 8.5.0; Ubuntu 24.04)
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Rainer Canavan via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 13 Sep 2024 12:55:31 +0200
On Fri, Sep 13, 2024 at 12:44 PM Bob Gezelter via curl-library
<curl-library_at_lists.haxx.se> wrote:
[...]
> The goal is to be able to use HTTPS in an isolated test environment with
> a self-signed certificate. CURLOPT_SSL_VERIFYHOST seems to be the
> appropriate setting.
>
> The documentation on CURLOPT_SSL_VERIFYHOST states "When the verify
> value is 0, the connection succeeds regardless of the names in the
> certificate."
>
> A reasonable interpretation of that phrase is that with
> CURLOPT_SSL_VERIFYHOST set to 0, a self-signed certificate would be
> accepted. This is an internal testing environment not permitting
> connection to the Internet.
That's actually not really a reasonable interpretation. You're looking
for https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html. The
Documentation for CURLOPT_SSL_VERIFYHOST specifically states:
This option controls checking the server's certificate's claimed
identity. The separate CURLOPT_SSL_VERIFYPEER options enables/disables
verification that the certificate is signed by a trusted Certificate
Authority.
This means that curl doesn't care if the hostname used in the URL
matches any of the hosnames used in the certificate presented by the
server. Those usually match for self-signed certificates, or at least
there's rarely a reason for those not to match.
On top of that, you could create your own CA, create a certificate
that matches the hostname used in your test environment and configure
that CA as trusted. Then you wouldn't have to disable any of
CURLOPT_SSL_VERIFYPEER or CURLOPT_SSL_VERIFYHOST.
Rainer
Date: Fri, 13 Sep 2024 12:55:31 +0200
On Fri, Sep 13, 2024 at 12:44 PM Bob Gezelter via curl-library
<curl-library_at_lists.haxx.se> wrote:
[...]
> The goal is to be able to use HTTPS in an isolated test environment with
> a self-signed certificate. CURLOPT_SSL_VERIFYHOST seems to be the
> appropriate setting.
>
> The documentation on CURLOPT_SSL_VERIFYHOST states "When the verify
> value is 0, the connection succeeds regardless of the names in the
> certificate."
>
> A reasonable interpretation of that phrase is that with
> CURLOPT_SSL_VERIFYHOST set to 0, a self-signed certificate would be
> accepted. This is an internal testing environment not permitting
> connection to the Internet.
That's actually not really a reasonable interpretation. You're looking
for https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html. The
Documentation for CURLOPT_SSL_VERIFYHOST specifically states:
This option controls checking the server's certificate's claimed
identity. The separate CURLOPT_SSL_VERIFYPEER options enables/disables
verification that the certificate is signed by a trusted Certificate
Authority.
This means that curl doesn't care if the hostname used in the URL
matches any of the hosnames used in the certificate presented by the
server. Those usually match for self-signed certificates, or at least
there's rarely a reason for those not to match.
On top of that, you could create your own CA, create a certificate
that matches the hostname used in your test environment and configure
that CA as trusted. Then you wouldn't have to disable any of
CURLOPT_SSL_VERIFYPEER or CURLOPT_SSL_VERIFYHOST.
Rainer
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-09-13