#67 no_verify_peer and no_verify_hostname do not work as expected

[Moritz Augustin]

The following command executions fail:
$ curlftpfs -o ssl_control,no_verify_peer,no_verify_hostname ftp://somehost.tld/path/ localfolder
Error setting curl: CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!

$ curlftpfs -o ssl_control,no_verify_peer ftp://somehost.tld/path/ localfolder
Error connecting to ftp: SSL: certificate subject name 'TS Series NAS' does not match target host name 'somehost.tld'

I am using Arch Linux 64bit with the following relevant packages:
curlftpfs 0.9.2-5
curl 7.33.0-1

I have a NAS station providing a FTP server with SSL using a self-signed certificate. The common name (CN) in the certificate does not equal the hostname which I have to specify when connecting to the server. Additionally I cannot change the server's certificate since it is builtin.
I am purely interested in establishing an encrypted transport connection and want to allow the custom certificate and also want to ignore the CN difference. Therefore, I want to make use of the options no_verify_peer and no_verify_hostname of curlftpfs. However, both above command executions fail.
The first error points to a change in curl which should be acknowledged in curlftpfs and the second error indicates that the verification of the certificate is only partially turned of by no_verify_peer and not fully as expected.

If I can provide with additional information please let me know. Is the project still alive?

[IndiaJenks]

Facing the same issue here.
In particular with the Yahoo secure web hosting.
A way to pass the expected server certificate subject name would be ideal.
Looks like the update to curl has broken the 'no_verify_hostname' option on curlftpfs

[Alexandru Thirtheu]

According to the cURL documentation http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYHOST , curl_easy_setopt () (and curl_easy_setopt_or_die ()) function, called in /curlftpfs-0.9.2/ftpfs.c, line 1630, the third parameter is not accepted to be 1 anymore.
One of two solutions that I see is to pass 0 instead of 1 as the 3rd argument to the curl_easy_setopt_or_die () function in curlftpfs, or to re-accept 1 as an argument in cURL. I guess changing curlftpfs instead of curl is more reasonable.
I have compiled curlftpfs from a modified source, changing 1 to 0 as the first mentioned solution, allowing curlftpfs to connect as expected.
I would like to apply this change to the official version right away, but I would need confirmation from the community; also, I don't have too much experience updating online code. Or someone else could do it...

[Benji Bær]

try downloading the cert from the ssl port (or any other way) first ;)

echo | openssl s_client -connect example.org:443 | openssl x509 -out ~/curlftpcert.pem

curlftpfs -o ssl,cacert=~/~/curlftpcert.pem,no_verify_peer ftps://...

https://wiki.ubuntuusers.de/curlftpfs/

[Mike Frysinger]

--- a/ftpfs.c
+++ b/ftpfs.c
@@ -1654,9 +1654,7 @@
   }

   if (ftpfs.no_verify_hostname) {
-    /* The default is 2 which verifies even the host string. This sets to 1
-     * which means verify the host but not the string. */
-    curl_easy_setopt_or_die(easy, CURLOPT_SSL_VERIFYHOST, 1);
+    curl_easy_setopt_or_die(easy, CURLOPT_SSL_VERIFYHOST, 0);
   }

   curl_easy_setopt_or_die(easy, CURLOPT_INTERFACE, ftpfs.interface);