[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] VMware support and libcurl on rhel-u1



On Tue, Jul 28, 2009 at 11:39:28AM +0200, Matthias Bolte wrote:
> 2009/7/28 Daniel P. Berrange <berrange redhat com>:
> > On Tue, Jul 28, 2009 at 02:22:25AM -0700, Shahar Klein wrote:
> >> doesn't work for me(with curl 7.15 and ESX4i)
> >>
> >> [root rain8 libvirt]# virsh -c esx://172.30.8.63?no_verify=1
> >> Enter username for 172.30.8.63 [root]:
> >> Enter root password for 172.30.8.63:
> >> error: internal error curl_easy_perform() returned an error: SSL peer certificate was not ok (51)
> >> error: failed to connect to the hypervisor
> >>
> >> I had to set(unset) CURLOPT_SSL_VERIFYHOST in order to connect:
> >> --- a/src/esx/esx_vi.c
> >> +++ b/src/esx/esx_vi.c
> >> @@ -239,6 +239,7 @@ esxVI_Context_Connect(virConnectPtr conn, esxVI_Context *ctx, const char *url,
> >>      curl_easy_setopt(ctx->curl_handle, CURLOPT_HEADER, 0);
> >>      curl_easy_setopt(ctx->curl_handle, CURLOPT_FOLLOWLOCATION, 1);
> >>      curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYPEER, noVerify ? 0 : 1);
> >> +    curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0 : 1);
> >>      curl_easy_setopt(ctx->curl_handle, CURLOPT_COOKIEFILE, "");
> >>      curl_easy_setopt(ctx->curl_handle, CURLOPT_HTTPHEADER, ctx->curl_headers);
> >>      curl_easy_setopt(ctx->curl_handle, CURLOPT_WRITEFUNCTION,
> >> ----
> >
> > ACK, this makes sense.  VERIFYHOST tells curl to verify that the
> > passed in hostname matches the cname in the certifcate. VERIFYPEER
> > tells curl to verify the certificate validaty itself. So we want
> > to be disabling both when no_verify=1
> >
> > Daniel
> 
> ACK, but CURLOPT_SSL_VERIFYHOST should be set to 2 (certificate must
> contain a cname and must match, the default) instead of 1 (certificate
> must contain a cname, but must not match) when no_verify=0, see
> http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYHOST
> 
> curl_easy_setopt(ctx->curl_handle, CURLOPT_SSL_VERIFYHOST, noVerify ? 0 : 2);

  Okay, I will push this, 

   thanks !

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel veillard com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]