Reputation: 8617
Does turning off CURLOPT_SSL_VERIFYPEER in cURL make transmission insecure?
On the PHP docs page about curl_setopt the most upvoted comment is
Please everyone, stop setting CURLOPT_SSL_VERIFYPEER to false or 0. If your PHP installation doesn't have an up-to-date CA root certificate bundle, download the one at the curl website and save it on your server:
http://curl.haxx.se/docs/caextract.html
Then set a path to it in your php.ini file, e.g. on Windows:
curl.cainfo=c:\php\cacert.pem
Turning off CURLOPT_SSL_VERIFYPEER allows man in the middle (MITM) attacks, which you don't want!
Really? As I understand it, turning off CURLOPT_SSL_VERIFYPEER stops curl from verifying the peer's certificate but data transmission stays secure. Which one is true?
Upvotes: 2
Views: 7771
Answers (1)
Reputation: 58124
Yes it is insecure. If you don't check the certificate you can't be sure that the sender is truly the server you think you're talking to and it may be an impostor. A man in the middle.
Even impostors can run SSL and negotiate an encrypted connections with you. But they can (supposedly) not purchase a certificate for the forged site using the legitimate cert name.
Upvotes: 8
Related Questions
- PHP CURL CURLOPT_SSL_VERIFYPEER ignored
- cURL requires CURLOPT_SSL_VERIFYPEER=FALSE
- php curl: SSL_VERIFYPEER option doesn't have effect
- What's the current advice on CURLOPT_SSL_VERIFYPEER?
- in php, what will happen if CURLOPT_CAPATH is not set when CURLOPT_SSL_VERIFYPEER is set to true
- Can't seem to get CURLOPT_SSL_VERIFYPEER to behave in PHP
- Is it ever safe to set CURLOPT_SSL_VERIFYPEER to FALSE? Even if you control both servers?
- If CURLOPT_SSL_VERIFYPEER is false, is the data transfer no longer secure?
- CURLOPT_SSL_VERIFYPEER option gives certificate error
- CURLOPT_SSL_VERIFYPEER not working in PHP even with setting CURLOPT_CAINFO