Detect CURLOPT_SSL_VERIFYPEER programatically?

I have setup a somewhat intricate MailChimp plugin using their latest PHP class wrapper. One of the settings towards the top of the class wrapper is :


/**
* CURLOPT_SSL_VERIFYPEER setting
* @var bool
*/
public $ssl_verifypeer = true;

Read More

Some of the users of our plugin have to manually change this setting to ‘false’ to get the plugin to function correctly, and I’m not sure why or what this setting is doing. What server setting would force a user to need to set this to false?

I’m looking for two things here:

1) What exactly is this setting doing? Why are some users required to set it to true and others false?

2) Is there a way to programatically detect which setting should be used, based on the users server settings? I had set up a way to detect if cURL was enabled at the server level, and am looking to do something similar here.

Thanks!

Related posts

Leave a Reply

1 comment

  1. From a stackoverflow response:

    CURLOPT_SSL_VERIFYPEER checks that the remote certificate is valid, i.e. that you trust that it was issued by a CA you trust and that it’s genuine.

    CURLOPT_SSL_VERIFYHOST checks that the cert was issued to the entity you wanted to talk to.

    To compare it to a real-life scenario, VERIFYPEER is like checking that the form of ID is one that you recognise (i.e. passport from a country you trust, staff card from a company you know, …). VERIFYHOST is like checking the actual name on the card matches who you wanted to talk to.

    If you don’t use VERIFYHOST (the correct value is 2, not 1, btw), you disable host name verification and open the door to MITM attacks: anyone with a form of ID you trust can impersonate anyone within the set of IDs you trust, e.g. anyone with a valid passport could pretend they’re anyone else with a valid passport.

    https://stackoverflow.com/questions/13740933/security-consequences-of-disabling-curlopt-ssl-verifyhost-libcurl-openssl

    But my question still remains, why are some users having to set it to false? And clearly, from this response, it’s a security risk, so they shouldn’t need to do so.