Hi, Disabling CURLOPT_SSL_VERIFYHOST worked. Yes as you said this is not recommended. But am not sure why certificate with correct hostname is not recognized from uploaded certificate. I added certificate in path "/etc/pki/ca-trust/source/anchors/ In verbose mode it says it got 5 certificate
* found 171 certificates in /etc/pki/tls/certs/ca-bundle.crt * *found 5 certificates in /etc/pki/ca-trust/source/anchors/* *But throw error *SSL: certificate subject name (#1300) does not match target host name 'abc.com Any idea why certificate is not recognized On Wed, May 8, 2019 at 12:59 AM Ray Satiro via curl-library < curl-library@cool.haxx.se> wrote: > On 5/7/2019 1:14 PM, surya chandrika via curl-library wrote: > > There a php script which tries to push data to?? destination host?? . > Looks like after curl update in-secure option is not working. > a self sign certificate with CN as the destination host was copied to > /etc/pki/ca-trust/source/anchors/ > and ran update-ca-trust?? > > the following option is also set in script > > ?? curl_setopt($this, CURLOPT_CAINFO, > '/etc/pki/ca-trust/source/anchors/esn.crt'); > ?? ?? ?? ?? > curl_setopt($this->curl,CURLOPT_CAPATH,"/etc/pki/ca-trust/source/anchors/"); > ?? ?? ?? ?? curl_setopt($this->curl, CURLOPT_SSL_VERIFYPEER, false); > > > > * Connected to abc.com (11.111.111.11) port 8443 (#0) > * found 171 certificates in /etc/pki/tls/certs/ca-bundle.crt > * *found 5 certificates in /etc/pki/ca-trust/source/anchors/* > * ALPN, offering http/1.1 > * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_CBC_SHA384 > *?? ?? ?? ?? server certificate verification SKIPPED > *?? ?? ?? ?? server certificate status verification SKIPPED > * SSL: certificate subject name (#1300) does not match target host name ' > abc.com?? ' > * Closing connection 0 > > > curl_version() output > ?? [version_number] => 475136 > ?? ?? [age] => 4 > ?? ?? [features] => 2671261 > ?? ?? [ssl_version_number] => 0 > ?? ?? [version] => 7.64.0 > ?? ?? [host] => x86_64-pc-linux-gnu > ?? ?? [ssl_version] => GnuTLS/3.3.8 > ?? ?? [libz_version] => 1.2.7 > > -sh-4.2$ curl --version > curl 7.64.0 (x86_64-pc-linux-gnu) libcurl/7.64.0 GnuTLS/3.3.8 zlib/1.2.7 > > > The name verification is controlled separately, you can use > CURLOPT_SSL_VERIFYHOST [1] to disable it. However it's almost never right > to disable certificate checking to work around errors since it's a security > risk. The certificate the server gives you should be valid for the host. > > > [1]: https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html > > > ------------------------------------------------------------------- > Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library > Etiquette: https://curl.haxx.se/mail/etiquette.html
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html