curl_easy_perform returns CURLE_PEER_FAILED_VERIFICATION following curl_easy_setopt(..., CURLOPT_VERIFYHOST, 0L) [libcurl 8.5.0; Ubuntu 24.04)

[Bob Gezelter via curl-library]

I will preface this with the fact that this is the first time I am using 
libcurl https with a self-signed certificate in a network fully isolated 
from the Internet. I may have missed something obvious.

The goal is to be able to use HTTPS in an isolated test environment with 
a self-signed certificate. CURLOPT_SSL_VERIFYHOST seems to be the 
appropriate setting.

The documentation on CURLOPT_SSL_VERIFYHOST states "When the verify 
value is 0, the connection succeeds regardless of the names in the 
certificate."

A reasonable interpretation of that phrase is that with 
CURLOPT_SSL_VERIFYHOST set to 0, a self-signed certificate would be 
accepted. This is an internal testing environment not permitting 
connection to the Internet.

However, the simple test program:

#include <curl/curl.h>

int main(void)
    {
        CURLcode Results;
        char *Modifier;

        curl_version_info_data *curl_version;
        curl_version = curl_version_info(CURLVERSION_NOW);
        fprintf(stderr, "CURL Version: %s\n", curl_version->version);

        CURL *curl = curl_easy_init();
        if  (curl) {
                Results = curl_easy_setopt(curl, CURLOPT_URL,
                    "https://localhost/xyz.html";);
                Modifier = "CURL_SSL_VERIFYHOST";
                if  ((Results = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST,
                    0L)) != CURLE_OK)
                    {
                        fprintf(stderr, "curl_easy_setopt(%s) failed. %s\n",
                            Modifier, curl_easy_strerror(Results));
                        }
                else {
                        fprintf(stderr, "curl_easy_perform(%s) worked.\n",
                            Modifier);
                        }
                if  ((Results = curl_easy_perform(curl)) != CURLE_OK)
                    {
                        fprintf(stderr, "curl_easy_perform() failed. %s\n",
                            curl_easy_strerror(Results));
                        return 0;
                        }

                curl_easy_cleanup(curl);
                return Results;
                }
        }

Outputs:
CURL Version: 8.5.0
curl_easy_perform(CURL_SSL_VERIFYHOST) worked.
curl_easy_perform() failed. SSL peer certificate or SSH remote key was 
not OK

For reference, the output of "curl --version" is:
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3 
brotli/1.1.0 zstd/1.5.5 libidn2/2.3.7 libpsl/0.21.2 (+libidn2/2.3.7) 
libssh/0.10.6/openssl/zlib nghttp2/1.59.0 librtmp/2.3 OpenLDAP/2.6.7
Release-Date: 2023-12-06, security patched: 8.5.0-2ubuntu10.3
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap 
ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN 
IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP 
UnixSockets zstd




--
- Bob Gezelter, http://www.rlgsc.com
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html