in php, what will happen if CURLOPT_CAPATH is not set when CURLOPT_SSL_VERIFYPEER is set to true

Question

The problem is about using curl in PHP. Some other answers said that curl will reject any ssl connection, however, I can send https requests as normal. curl.cainfo in php.ini is not set. Will curl use system default ca bundle when CURLOPT_CAPATH is not set?

Answer 1

Here you can use CURLOPT_CAPATH Like below.

You have to give path of your SSL Certificate in this line curl_setopt($curl_handle, CURLOPT_CAINFO, "/etc/pki/tls/cert.pem");

$curl_handle=curl_init();
curl_setopt($curl_handle, CURLOPT_URL,$link);
curl_setopt($curl_handle, CURLOPT_CONNECTTIMEOUT,2);
curl_setopt($curl_handle, CURLOPT_VERBOSE, true);
curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_handle, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($curl_handle, CURLOPT_CAINFO, "/etc/pki/tls/cert.pem");
$buffer = curl_exec($curl_handle);
$buffer_decode = json_decode($buffer);
curl_close($curl_handle);

Answer 2

From the documentation:

CURLOPT_CAINFO

This option is by default set to the system path where 
libcurl's cacert bundle is assumed to be stored, as 
established at build time.

So, if your system stores the cacert bundle in the default location, which is likely /etc/ssl/certs/, then it should find it.