2009/7/28 Daniel P. Berrange <berrange(a)redhat.com>:
> On Tue, Jul 28, 2009 at 02:22:25AM -0700, Shahar Klein wrote:
>> doesn't work for me(with curl 7.15 and ESX4i)
>>
>> [root@rain8 libvirt]# virsh -c esx://172.30.8.63?no_verify=1
>> Enter username for 172.30.8.63 [root]:
>> Enter root password for 172.30.8.63:
>> error: internal error curl_easy_perform() returned an error: SSL peer
certificate was not ok (51)
>> error: failed to connect to the hypervisor
>>
>> I had to set(unset) CURLOPT_SSL_VERIFYHOST in order to connect:
>> --- a/src/esx/esx_vi.c
>> +++ b/src/esx/esx_vi.c
>> @@ -239,6 +239,7 @@ esxVI_Context_Connect(virConnectPtr conn, esxVI_Context
*ctx, const char *url,
>> curl_easy_setopt(ctx->curl_handle, CURLOPT_HEADER, 0);
>> curl_easy_setopt(ctx->curl_handle, CURLOPT_FOLLOWLOCATION, 1);
>> curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYPEER, noVerify ? 0
: 1);
>> + curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0
: 1);
>> curl_easy_setopt(ctx->curl_handle, CURLOPT_COOKIEFILE, "");
>> curl_easy_setopt(ctx->curl_handle, CURLOPT_HTTPHEADER,
ctx->curl_headers);
>> curl_easy_setopt(ctx->curl_handle, CURLOPT_WRITEFUNCTION,
>> ----
>
> ACK, this makes sense. VERIFYHOST tells curl to verify that the
> passed in hostname matches the cname in the certifcate. VERIFYPEER
> tells curl to verify the certificate validaty itself. So we want
> to be disabling both when no_verify=1
>
> Daniel
ACK, but CURLOPT_SSL_VERIFYHOST should be set to 2 (certificate must
contain a cname and must match, the default) instead of 1 (certificate
must contain a cname, but must not match) when no_verify=0, see
http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYHOST
curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0 : 2);
Okay, I will push this,
thanks !
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit