2

On the PHP docs page about curl_setopt the most upvoted comment is

Please everyone, stop setting CURLOPT_SSL_VERIFYPEER to false or 0. If your PHP installation doesn't have an up-to-date CA root certificate bundle, download the one at the curl website and save it on your server:

http://curl.haxx.se/docs/caextract.html

Then set a path to it in your php.ini file, e.g. on Windows:

curl.cainfo=c:\php\cacert.pem

Turning off CURLOPT_SSL_VERIFYPEER allows man in the middle (MITM) attacks, which you don't want!

Really? As I understand it, turning off CURLOPT_SSL_VERIFYPEER stops curl from verifying the peer's certificate but data transmission stays secure. Which one is true?

Desmond Hume
  • 8,037
  • 14
  • 65
  • 112
  • Well, both statements are true. Indeed it disables the verification of the peer and this allows an "easy" man-in-the-middle attack. Please note that such attack does _not_ mean that the data is sent unencrypted. It means, someone in the middle can decrypt the transferred data without your knowledge and without you being able to prevent or detect it. – arkascha Jan 17 '14 at 20:53
  • possible duplicate of [Security consequences of disabling CURLOPT\_SSL\_VERIFYHOST (libcurl/openssl)](http://stackoverflow.com/questions/13740933/security-consequences-of-disabling-curlopt-ssl-verifyhost-libcurl-openssl) – Bruno Jan 17 '14 at 21:12

1 Answers1

8

Yes it is insecure. If you don't check the certificate you can't be sure that the sender is truly the server you think you're talking to and it may be an impostor. A man in the middle.

Even impostors can run SSL and negotiate an encrypted connections with you. But they can (supposedly) not purchase a certificate for the forged site using the legitimate cert name.

Daniel Stenberg
  • 54,736
  • 17
  • 146
  • 222
  • Sir, I have another question about curl http://stackoverflow.com/questions/20785810/when-is-it-best-to-check-asynchronous-curl-requests-for-completion I even had bounty for it but it expired. Would you please try answering it (assuming that CURLM_CALL_MULTI_PERFORM is deprecated) – Desmond Hume Jan 18 '14 at 15:56