On Fri, Sep 13, 2024 at 12:44 PM Bob Gezelter via curl-library <curl-library@lists.haxx.se> wrote:
[...] > The goal is to be able to use HTTPS in an isolated test environment with > a self-signed certificate. CURLOPT_SSL_VERIFYHOST seems to be the > appropriate setting. > > The documentation on CURLOPT_SSL_VERIFYHOST states "When the verify > value is 0, the connection succeeds regardless of the names in the > certificate." > > A reasonable interpretation of that phrase is that with > CURLOPT_SSL_VERIFYHOST set to 0, a self-signed certificate would be > accepted. This is an internal testing environment not permitting > connection to the Internet. That's actually not really a reasonable interpretation. You're looking for https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html. The Documentation for CURLOPT_SSL_VERIFYHOST specifically states: This option controls checking the server's certificate's claimed identity. The separate CURLOPT_SSL_VERIFYPEER options enables/disables verification that the certificate is signed by a trusted Certificate Authority. This means that curl doesn't care if the hostname used in the URL matches any of the hosnames used in the certificate presented by the server. Those usually match for self-signed certificates, or at least there's rarely a reason for those not to match. On top of that, you could create your own CA, create a certificate that matches the hostname used in your test environment and configure that CA as trusted. Then you wouldn't have to disable any of CURLOPT_SSL_VERIFYPEER or CURLOPT_SSL_VERIFYHOST. Rainer -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
