2009/7/28 Daniel P. Berrange <berrange@xxxxxxxxxx>: > On Tue, Jul 28, 2009 at 02:22:25AM -0700, Shahar Klein wrote: >> doesn't work for me(with curl 7.15 and ESX4i) >> >> [root@rain8 libvirt]# virsh -c esx://172.30.8.63?no_verify=1 >> Enter username for 172.30.8.63 [root]: >> Enter root password for 172.30.8.63: >> error: internal error curl_easy_perform() returned an error: SSL peer certificate was not ok (51) >> error: failed to connect to the hypervisor >> >> I had to set(unset) CURLOPT_SSL_VERIFYHOST in order to connect: >> --- a/src/esx/esx_vi.c >> +++ b/src/esx/esx_vi.c >> @@ -239,6 +239,7 @@ esxVI_Context_Connect(virConnectPtr conn, esxVI_Context *ctx, const char *url, >> curl_easy_setopt(ctx->curl_handle, CURLOPT_HEADER, 0); >> curl_easy_setopt(ctx->curl_handle, CURLOPT_FOLLOWLOCATION, 1); >> curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYPEER, noVerify ? 0 : 1); >> + curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0 : 1); >> curl_easy_setopt(ctx->curl_handle, CURLOPT_COOKIEFILE, ""); >> curl_easy_setopt(ctx->curl_handle, CURLOPT_HTTPHEADER, ctx->curl_headers); >> curl_easy_setopt(ctx->curl_handle, CURLOPT_WRITEFUNCTION, >> ---- > > ACK, this makes sense. VERIFYHOST tells curl to verify that the > passed in hostname matches the cname in the certifcate. VERIFYPEER > tells curl to verify the certificate validaty itself. So we want > to be disabling both when no_verify=1 > > Daniel ACK, but CURLOPT_SSL_VERIFYHOST should be set to 2 (certificate must contain a cname and must match, the default) instead of 1 (certificate must contain a cname, but must not match) when no_verify=0, see http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYHOST curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0 : 2); Matthias -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list