I know from this thread what attacks are possible when CURLOPT_SSL_VERIFYHOST is disabled. I'd like to know what attacks are possible when VERIFYPEER, not _VERIFYHOST, is disabled. Is it an acceptable risk for payments with credit cards?
(the reason I ask is because my code works only with _VERIFYPEER disabled, though nobody seems to know why)
If you disable CURLOPT_SSL_VERIFYPEER, curl will not check that the certificate is actually signed by a trusted authority. This is very dangerous! In a MITM situation, without VERIFYPEER, the attacker can simply substitute his own "self-signed" certificate for the real certificate, and as long as the host name matches (which he can always do, since he's making the certificate), your app will accept it.
Your code is likely failing because you don't have the CA certificate store set up, and the server you are talking to is signed by a CA not in curl's default repository. Consider using CURLOPT_CAINFO or CURLOPT_CAPATH to specify the certificates to verify against, and ensure that the certificates you are using for verification are accessible and match the target server's certificates.
