On Tue, Jul 28, 2009 at 11:39:28AM +0200, Matthias Bolte wrote:
2009/7/28 Daniel P. Berrange <berrange@redhat.com>:
On Tue, Jul 28, 2009 at 02:22:25AM -0700, Shahar Klein wrote:
doesn't work for me(with curl 7.15 and ESX4i)
[root@rain8 libvirt]# virsh -c esx://172.30.8.63?no_verify=1 Enter username for 172.30.8.63 [root]: Enter root password for 172.30.8.63: error: internal error curl_easy_perform() returned an error: SSL peer certificate was not ok (51) error: failed to connect to the hypervisor
I had to set(unset) CURLOPT_SSL_VERIFYHOST in order to connect: --- a/src/esx/esx_vi.c +++ b/src/esx/esx_vi.c @@ -239,6 +239,7 @@ esxVI_Context_Connect(virConnectPtr conn, esxVI_Context *ctx, const char *url, curl_easy_setopt(ctx->curl_handle, CURLOPT_HEADER, 0); curl_easy_setopt(ctx->curl_handle, CURLOPT_FOLLOWLOCATION, 1); curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYPEER, noVerify ? 0 : 1); + curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0 : 1); curl_easy_setopt(ctx->curl_handle, CURLOPT_COOKIEFILE, ""); curl_easy_setopt(ctx->curl_handle, CURLOPT_HTTPHEADER, ctx->curl_headers); curl_easy_setopt(ctx->curl_handle, CURLOPT_WRITEFUNCTION, ----
ACK, this makes sense. VERIFYHOST tells curl to verify that the passed in hostname matches the cname in the certifcate. VERIFYPEER tells curl to verify the certificate validaty itself. So we want to be disabling both when no_verify=1
Daniel
ACK, but CURLOPT_SSL_VERIFYHOST should be set to 2 (certificate must contain a cname and must match, the default) instead of 1 (certificate must contain a cname, but must not match) when no_verify=0, see http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYHOST
curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0 : 2);
Okay, I will push this, thanks ! Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/