On 5/7/2019 1:14 PM, surya chandrika via curl-library wrote: > There a php script which tries to push data to destination host . > Looks like after curl update in-secure option is not working. > a self sign certificate with CN as the destination host was copied to > /etc/pki/ca-trust/source/anchors/ > and ran update-ca-trust > > the following option is also set in script > > curl_setopt($this, CURLOPT_CAINFO, > '/etc/pki/ca-trust/source/anchors/esn.crt'); > > curl_setopt($this->curl,CURLOPT_CAPATH,"/etc/pki/ca-trust/source/anchors/"); > curl_setopt($this->curl, CURLOPT_SSL_VERIFYPEER, false); > > > > * Connected to abc.com <http://abc.com> (11.111.111.11) port 8443 (#0) > * found 171 certificates in /etc/pki/tls/certs/ca-bundle.crt > * *found 5 certificates in /etc/pki/ca-trust/source/anchors/* > * ALPN, offering http/1.1 > * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_CBC_SHA384 > * server certificate verification SKIPPED > * server certificate status verification SKIPPED > * SSL: certificate subject name (#1300) does not match target host > name 'abc.com <http://abc.com> ' > * Closing connection 0 > > > curl_version() output > [version_number] => 475136 > [age] => 4 > [features] => 2671261 > [ssl_version_number] => 0 > [version] => 7.64.0 > [host] => x86_64-pc-linux-gnu > [ssl_version] => GnuTLS/3.3.8 > [libz_version] => 1.2.7 > > -sh-4.2$ curl --version > curl 7.64.0 (x86_64-pc-linux-gnu) libcurl/7.64.0 GnuTLS/3.3.8 zlib/1.2.7
The name verification is controlled separately, you can use CURLOPT_SSL_VERIFYHOST [1] to disable it. However it's almost never right to disable certificate checking to work around errors since it's a security risk. The certificate the server gives you should be valid for the host. [1]: https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
