Re: [libvirt] VMware support and libcurl on rhel-u1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2009/7/28 Daniel P. Berrange <berrange@xxxxxxxxxx>:
> On Tue, Jul 28, 2009 at 02:22:25AM -0700, Shahar Klein wrote:
>> doesn't work for me(with curl 7.15 and ESX4i)
>>
>> [root@rain8 libvirt]# virsh -c esx://172.30.8.63?no_verify=1
>> Enter username for 172.30.8.63 [root]:
>> Enter root password for 172.30.8.63:
>> error: internal error curl_easy_perform() returned an error: SSL peer certificate was not ok (51)
>> error: failed to connect to the hypervisor
>>
>> I had to set(unset) CURLOPT_SSL_VERIFYHOST in order to connect:
>> --- a/src/esx/esx_vi.c
>> +++ b/src/esx/esx_vi.c
>> @@ -239,6 +239,7 @@ esxVI_Context_Connect(virConnectPtr conn, esxVI_Context *ctx, const char *url,
>>      curl_easy_setopt(ctx->curl_handle, CURLOPT_HEADER, 0);
>>      curl_easy_setopt(ctx->curl_handle, CURLOPT_FOLLOWLOCATION, 1);
>>      curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYPEER, noVerify ? 0 : 1);
>> +    curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0 : 1);
>>      curl_easy_setopt(ctx->curl_handle, CURLOPT_COOKIEFILE, "");
>>      curl_easy_setopt(ctx->curl_handle, CURLOPT_HTTPHEADER, ctx->curl_headers);
>>      curl_easy_setopt(ctx->curl_handle, CURLOPT_WRITEFUNCTION,
>> ----
>
> ACK, this makes sense.  VERIFYHOST tells curl to verify that the
> passed in hostname matches the cname in the certifcate. VERIFYPEER
> tells curl to verify the certificate validaty itself. So we want
> to be disabling both when no_verify=1
>
> Daniel

ACK, but CURLOPT_SSL_VERIFYHOST should be set to 2 (certificate must
contain a cname and must match, the default) instead of 1 (certificate
must contain a cname, but must not match) when no_verify=0, see
http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYHOST

curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0 : 2);

Matthias

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]