Use proper CURLOPT values for VERIFYHOST and VERIFYPEER#1695
Merged
WardF merged 1 commit intoUnidata:masterfrom Apr 10, 2020
Merged
Use proper CURLOPT values for VERIFYHOST and VERIFYPEER#1695WardF merged 1 commit intoUnidata:masterfrom
WardF merged 1 commit intoUnidata:masterfrom
Conversation
re: Unidata#1684 re: e-support VZL-904142 Two issues: 1. As of libcurl 7.66, the semantics of CURLOPT_SSL_VERIFYHOST changed so that the non-zero values affects certificate processing. 2. The current library was forcing the values of VERIFYPEER and VERIFYHOST to zero instead of leaving them to the default values. Solution was first to leave the defaults in place for VERIFYPEER and VERIFYHOST as long as they are not set in .ocrc/.dodsrc file. Second, the value of HTTP.SSL.VERIFYPEER or HTTP.SSL.VERIFYHOST as set in .ocrc/.dodrc is used to set the corresponding CURLOPT flags. So for example, adding > HTTP.SSL.VERIFYHOST=2 will set the value of CURLOPT_SSL_VERIFYHOST to 2, the default. Using > HTTP.SSL.VERIFYHOST=0 will set the value of CURLOPT_SSL_VERIFYHOST to 0, which disables it. Similarly for VERIFYPEER. Finally the semantics of HTTP.SSL.VALIDATE is now equivalent to > HTTP.SSL.VERIFYPEER=1 > HTTP.SSL.VERIFYHOST=2
WardF
approved these changes
Apr 10, 2020
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
re: e-support VZL-904142
Two issues:
changed so that the non-zero values affects certificate processing.
and VERIFYHOST to zero instead of leaving them to the default values.
Solution was first to leave the defaults in place for VERIFYPEER and VERIFYHOST
as long as they are not set in .ocrc/.dodsrc file.
Second, the value of HTTP.SSL.VERIFYPEER or HTTP.SSL.VERIFYHOST
as set in .ocrc/.dodrc is used to set the corresponding CURLOPT flags.
So for example, adding
Finally the semantics of HTTP.SSL.VALIDATE is now equivalent to