1

I compiled curl 7.37.0 with openssl 1.0.0 and configured them as the following:

openssl conf:
./Configure COMPILER_TYPE --prefix=/path/to/dir --openssldir=/path/to/dir shared threads
curl conf:
./configure --with-ssl=/path/to/openssl --prefix=/path/to/fdir/ --libdir=/path/to/dir/lib

in my code I determine from where curl will take the cert using 'setopt':

curl_easy_setopt(crl, CURLOPT_SSL_VERIFYHOST, 2);
curl_easy_setopt(crl, CURLOPT_SSL_VERIFYPEER, true);
curl_easy_setopt(crl, CURLOPT_CAINFO, /path/to/cert/ca.crt);

now I'm getting 'peer certificate error' (51). Am I missing here something in openssl/curl configuration?

[update]

the build configuration seems to be fine, I upgraded to curl 7.21.0 from 7.20.0 and its working as it was before, but after upgrading to 7.37 I'm getting the errors:

"certificate subject name 'XXXXXXXXXX' does not match target host name 'localhost'"

and curl returns error 51

15412s
  • 3,298
  • 5
  • 28
  • 38

1 Answers1

1

The server certificate's is set out for a different host name than the one you're connecting to (which the error message quite clearly spells out).

That's not supposed to work with CURLOPT_SSL_VERIFYHOST set to 2, if it worked before it was due to a bug - but I rather suspect the certificate or host name has changed.

You can work around this numerous ways, including setting CURLOPT_SSL_VERIFYHOST to 0 or using CURLOPT_RESOLVE to set the "real" host name to resolve to 127.0.0.1.

Daniel Stenberg
  • 54,736
  • 17
  • 146
  • 222
  • `CURLOPT_SSL_VERIFYHOST to 0` is a bad idea and should be removed from the library. There's no reason to break security like that. Require the site to fix their certificate, or have the library return a meaningful error code when the basic requirements of X.509 and PKIX are not met. – jww Jun 04 '14 at 00:07