6:41 a.m.
apperantly I needed to unset CURLOPT_SSL_VERIFYHOST as well
patched that and it is working now
10x
Shahar
________________________________
From: Tom Hughes <tom(a)compton.nu>
To: Shahar Klein <shaharklein(a)yahoo.com>
Sent: Monday, July 27, 2009 2:36:32 PM
Subject: Re: [libvirt] VMware support and libcurl on rhel-u1
On 27/07/09 12:33, Shahar Klein wrote:
this is what I thought but it doesn't work for me:
[root@rain8 libvirt]# virsh -c esx://rain3?transport=http
Enter username for rain3 [root]:
Enter root password for rain3:
error: internal error curl_easy_perform() returned an error: SSL peer
certificate was not ok (51)
error: failed to connect to the hypervisor
maybe because I'm using curl 7.15?
That looks like it is still checking the certificate. Are you sure you're not still
running the unpatched one somehow?
I'm running curl 7.19.4 which isn't that different - does the curl_easy_setopt
manual page mention the CURLOPT_SSL_VERIFYPEER option?
Tom
-- Tom Hughes (tom(a)compton.nu)
http://www.compton.nu/
7:41 a.m.
New subject: [libvirt] VMware support and libcurl on rhel-u1
2009/7/27 Shahar Klein <shaharklein(a)yahoo.com>:
apperantly I needed to unset CURLOPT_SSL_VERIFYHOST as well
patched that and it is working now
10x
Shahar
With latest git HEAD you should be able to connect using
virsh -c esx://rain3?no_verify=1
Regards,
Matthias
4:22 a.m.
New subject: [libvirt] VMware support and libcurl on rhel-u1
doesn't work for me(with curl 7.15 and ESX4i)
[root@rain8 libvirt]# virsh -c esx://172.30.8.63?no_verify=1
Enter username for 172.30.8.63 [root]:
Enter root password for 172.30.8.63:
error: internal error curl_easy_perform() returned an error: SSL peer certificate was not
ok (51)
error: failed to connect to the hypervisor
I had to set(unset) CURLOPT_SSL_VERIFYHOST in order to connect:
--- a/src/esx/esx_vi.c
+++ b/src/esx/esx_vi.c
@@ -239,6 +239,7 @@ esxVI_Context_Connect(virConnectPtr conn, esxVI_Context *ctx, const
char *url,
curl_easy_setopt(ctx->curl_handle, CURLOPT_HEADER, 0);
curl_easy_setopt(ctx->curl_handle, CURLOPT_FOLLOWLOCATION, 1);
curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYPEER, noVerify ? 0 : 1);
+ curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0 : 1);
curl_easy_setopt(ctx->curl_handle, CURLOPT_COOKIEFILE, "");
curl_easy_setopt(ctx->curl_handle, CURLOPT_HTTPHEADER, ctx->curl_headers);
curl_easy_setopt(ctx->curl_handle, CURLOPT_WRITEFUNCTION,
----
[root@rain8 libvirt]# virsh -c esx://172.30.8.63?no_verify=1
Enter username for 172.30.8.63 [root]:
Enter root password for 172.30.8.63:
Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help
with commands 'quit' to quit virsh # list Id Name State
---------------------------------- 16 rh53 running
160 Rhel-server 5_3 running virsh #
________________________________
From: Matthias Bolte <matthias.bolte(a)googlemail.com>
To: Shahar Klein <shaharklein(a)yahoo.com>
Cc: Tom Hughes <tom(a)compton.nu>; libvir-list(a)redhat.com
Sent: Monday, July 27, 2009 3:41:16 PM
Subject: Re: [libvirt] VMware support and libcurl on rhel-u1
2009/7/27 Shahar Klein <shaharklein(a)yahoo.com>:
apperantly I needed to unset CURLOPT_SSL_VERIFYHOST as well
patched that and it is working now
10x
Shahar
With latest git HEAD you should be able to connect using
virsh -c esx://rain3?no_verify=1
Regards,
Matthias
4:32 a.m.
New subject: [libvirt] VMware support and libcurl on rhel-u1
On Tue, Jul 28, 2009 at 02:22:25AM -0700, Shahar Klein wrote:
doesn't work for me(with curl 7.15 and ESX4i)
[root@rain8 libvirt]# virsh -c esx://172.30.8.63?no_verify=1
Enter username for 172.30.8.63 [root]:
Enter root password for 172.30.8.63:
error: internal error curl_easy_perform() returned an error: SSL peer certificate was not
ok (51)
error: failed to connect to the hypervisor
I had to set(unset) CURLOPT_SSL_VERIFYHOST in order to connect:
--- a/src/esx/esx_vi.c
+++ b/src/esx/esx_vi.c
@@ -239,6 +239,7 @@ esxVI_Context_Connect(virConnectPtr conn, esxVI_Context *ctx, const
char *url,
curl_easy_setopt(ctx->curl_handle, CURLOPT_HEADER, 0);
curl_easy_setopt(ctx->curl_handle, CURLOPT_FOLLOWLOCATION, 1);
curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYPEER, noVerify ? 0 : 1);
+ curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0 : 1);
curl_easy_setopt(ctx->curl_handle, CURLOPT_COOKIEFILE, "");
curl_easy_setopt(ctx->curl_handle, CURLOPT_HTTPHEADER, ctx->curl_headers);
curl_easy_setopt(ctx->curl_handle, CURLOPT_WRITEFUNCTION,
----
ACK, this makes sense. VERIFYHOST tells curl to verify that the
passed in hostname matches the cname in the certifcate. VERIFYPEER
tells curl to verify the certificate validaty itself. So we want
to be disabling both when no_verify=1
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
4:39 a.m.
New subject: [libvirt] VMware support and libcurl on rhel-u1
2009/7/28 Daniel P. Berrange <berrange(a)redhat.com>:
On Tue, Jul 28, 2009 at 02:22:25AM -0700, Shahar Klein wrote:
> doesn't work for me(with curl 7.15 and ESX4i)
>
> [root@rain8 libvirt]# virsh -c esx://172.30.8.63?no_verify=1
> Enter username for 172.30.8.63 [root]:
> Enter root password for 172.30.8.63:
> error: internal error curl_easy_perform() returned an error: SSL peer certificate was
not ok (51)
> error: failed to connect to the hypervisor
>
> I had to set(unset) CURLOPT_SSL_VERIFYHOST in order to connect:
> --- a/src/esx/esx_vi.c
> +++ b/src/esx/esx_vi.c
> @@ -239,6 +239,7 @@ esxVI_Context_Connect(virConnectPtr conn, esxVI_Context *ctx,
const char *url,
> curl_easy_setopt(ctx->curl_handle, CURLOPT_HEADER, 0);
> curl_easy_setopt(ctx->curl_handle, CURLOPT_FOLLOWLOCATION, 1);
> curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYPEER, noVerify ? 0 :
1);
> + curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0 :
1);
> curl_easy_setopt(ctx->curl_handle, CURLOPT_COOKIEFILE, "");
> curl_easy_setopt(ctx->curl_handle, CURLOPT_HTTPHEADER,
ctx->curl_headers);
> curl_easy_setopt(ctx->curl_handle, CURLOPT_WRITEFUNCTION,
> ----
ACK, this makes sense. VERIFYHOST tells curl to verify that the
passed in hostname matches the cname in the certifcate. VERIFYPEER
tells curl to verify the certificate validaty itself. So we want
to be disabling both when no_verify=1
Daniel
ACK, but CURLOPT_SSL_VERIFYHOST should be set to 2 (certificate must
contain a cname and must match, the default) instead of 1 (certificate
must contain a cname, but must not match) when no_verify=0, see
http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYHOST
curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0 : 2);
Matthias
5:09 a.m.
New subject: [libvirt] VMware support and libcurl on rhel-u1
On Tue, Jul 28, 2009 at 11:39:28AM +0200, Matthias Bolte wrote:
2009/7/28 Daniel P. Berrange <berrange(a)redhat.com>:
> On Tue, Jul 28, 2009 at 02:22:25AM -0700, Shahar Klein wrote:
>> doesn't work for me(with curl 7.15 and ESX4i)
>>
>> [root@rain8 libvirt]# virsh -c esx://172.30.8.63?no_verify=1
>> Enter username for 172.30.8.63 [root]:
>> Enter root password for 172.30.8.63:
>> error: internal error curl_easy_perform() returned an error: SSL peer
certificate was not ok (51)
>> error: failed to connect to the hypervisor
>>
>> I had to set(unset) CURLOPT_SSL_VERIFYHOST in order to connect:
>> --- a/src/esx/esx_vi.c
>> +++ b/src/esx/esx_vi.c
>> @@ -239,6 +239,7 @@ esxVI_Context_Connect(virConnectPtr conn, esxVI_Context
*ctx, const char *url,
>> curl_easy_setopt(ctx->curl_handle, CURLOPT_HEADER, 0);
>> curl_easy_setopt(ctx->curl_handle, CURLOPT_FOLLOWLOCATION, 1);
>> curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYPEER, noVerify ? 0
: 1);
>> + curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0
: 1);
>> curl_easy_setopt(ctx->curl_handle, CURLOPT_COOKIEFILE, "");
>> curl_easy_setopt(ctx->curl_handle, CURLOPT_HTTPHEADER,
ctx->curl_headers);
>> curl_easy_setopt(ctx->curl_handle, CURLOPT_WRITEFUNCTION,
>> ----
>
> ACK, this makes sense. VERIFYHOST tells curl to verify that the
> passed in hostname matches the cname in the certifcate. VERIFYPEER
> tells curl to verify the certificate validaty itself. So we want
> to be disabling both when no_verify=1
>
> Daniel
ACK, but CURLOPT_SSL_VERIFYHOST should be set to 2 (certificate must
contain a cname and must match, the default) instead of 1 (certificate
must contain a cname, but must not match) when no_verify=0, see
http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYHOST
curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0 : 2);
Okay, I will push this,
thanks !
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
5596
days inactive
5597
days old
5 comments
4 participants
participants (4)
-
Daniel P. Berrange -
Daniel Veillard -
Matthias Bolte -
Shahar Klein