What's the current advice on CURLOPT_SSL_VERIFYPEER?

Question

What's the current advice on CURLOPT_SSL_VERIFYPEER? I've traditionally always set it to false, because it always kept causing issues when fetching https:// URLs.

But now I read a comment saying that this allows "man in the middle" attacks, which I vaguely knew already, and that I should be downloading the https://curl.haxx.se/docs/caextract.html file and set the curl.cainfo config directive. And that can ONLY be set in the php.ini file, which makes everything a mess. I'd like to set it in my actual application if anything. Preferably not have to set it all, which I still don't understand why it's necessary in the first place...

What should I do? I don't want MITM attacks. Why doesn't PHP come with a proper such file? What's the problem?

Answer 1

Good answer from https://paragonie.com/blog/2017/10/certainty-automated-cacert-pem-management-for-php-software#verify-peer

What Happens If You Disable CURLOPT_SSL_VERIFYPEER? If you disable this check, you're opting out of the Certificate Authority infrastructure, which means you've elected to blindly accept self-signed certificates.

This exposes you to extremely trivial man-in-the-middle attacks. All the intercepting proxy needs to do is offer a self-signed certificate and PHP will just trust it, but only if you turn this off.

In today's ecosystem, the only real reason to use this is if you're using CURLOPT_PINNEDPUBLICKEY and for some reason can't use LetsEncrypt.

You should keep it on and make sure any sites you are curling have good certs from a trusted CA (like a paid one or a free cert from LetsEncrypt)

Setting up the up to date file of what certs should be valid and trusted can be done at the application level. More detail is in that link above and there is an opensource project that does it by the same author of the post: https://github.com/paragonie/certainty

You can use that if you want or just look at what it does and build it in yourself.