ssl peer certificate or ssh remote key was not ok - C

Question

I have the following code to connect to a site:

int main()
{
    CURL *curl;
    CURLcode res;

    curl = curl_easy_init();

    if(curl)
    {
        curl_easy_setopt(curl, CURLOPT_URL, "https://192.168.200.115:8080/appliances");
        curl_easy_setopt(curl, CURLOPT_USERNAME, "myusername");
        curl_easy_setopt(curl, CURLOPT_PASSWORD, "mypassword");
        curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); 

        // Perform the request, res will get the return code
        res = curl_easy_perform(curl);

        // Check for errors
        if(res != CURLE_OK)
        {
            fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res));
        }

        //always cleanup
        curl_easy_cleanup(curl);
    }

    return 0;
}

WHen ran I got the error: peer certificate cannot be authenticated with given ca certificates

After googling I found that I had to add the line:

curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, false);

BUt now I get the error: ssl peer certificate or ssh remote key was not ok

I have tried adding in:

curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);

But still the same error.

How can I solve this??

EDIT I added verbose logging:

curl_easy_setopt(curl, CURLOPT_VERBOSE, 1);

And now I see the following in the output: ssl certificate subject name 'name or server' does not match target host

Answer 1

The X.509 SSL server certificate sent by the server is invalid. If you really want to disable X.509 certificate verification (please, don't do that), you should set CURLOPT_SSL_VERIFYHOST to 0 (default to 2) in order to ask libcurl not to fail if the name contained in the certificate does not match the host you are trying to connect to. If you do that, you will probably have to let CURLOPT_SSL_VERIFYPEER at 0, meaning no X.509 PKI validation.

Answer 2

Many recommend against setting CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER to zero. They say it leaves one open to man-in-the-middle attacks. OTOH, verifying certificates through central authorities could also be open to privacy abuse, as they could be used to track sites that users visit, whether or not said authorities can actually decrypt their content.

This SO answer: Can't connect to HTTPS site using cURL. Returns 0 length content instead. What can I do? solved it for me. It seems the author of libcurl provides you with what openSSL needs, but which openSSL only provides out-of-date versions of. openSSL has a tool to regenerate certificate authorities, a script called c_rehash, but, snubbing users of that upstart operating system, Windows, they don't provide a .bat or other Windows script version, when they easily could. What the above SO answer does at the command line ports to "C" and C++ quite readily. On the page

curl - Extract CA Certs from Mozilla

it has a link to a recently generated "cacert.pem" file. Here's the direct link: http://curl.haxx.se/ca/cacert.pem

The "C" and C++ version of using it is then:

curl_easy_setopt(curlHandle, CURLOPT_CAINFO,
  "C:/Programming/Original/QT Projects/libcurlTest/libcurlTest/openssl/cacert.pem");

This lets you use certificates the way they were intended to be used; if that is your aim.

Answer 3

I looked up this error message for answers because a development server didn't work - turned out a certificate had expired the evening before.

So your first thing to do would be to take the opportunity to make sure that error handling in your code is fine. And the second thing to find whoever is responsible for the server and make them fix it.