Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PayPal cURL options (CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST) issue

Tags:

php

curl

paypal

I've got a piece of code from the PayPal site:

// turning off the server and peer verification(TrustManager Concept).
// really paypal??? why not just include a recent cert???
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);

As you can see in my comment I'm wondering why on earth paypal would disable those options.

I know (from previous headaches :) ) that on Windows cURL uses an outdated certs file.

But I have a newer certs file on my server which I could just use:

curl_setopt($ch, CURLOPT_CAINFO, 'E:\path\to\curl-ca-bundle.crt');

So why would PayPal 'recommend' disabling it if all it takes is use another (newer) certs file.

Wouldn't that be safer?

Or am I missing something (I'm pretty sure PayPal has enough money for a valid certificate :p )?

like image 259
PeeHaa Avatar asked Nov 02 '11 23:11

PeeHaa


2 Answers

Yes, it would be much safer to make sure clients use an updated CA cert bundle. (Which this question is about, they already have a certificate.)

like image 52
Daniel Stenberg Avatar answered Oct 20 '22 18:10

Daniel Stenberg


One reason could be that it prevents support headaches, with people running the script on their $1 / year shared hosting boxes, running into issues, etc.
Best practice? No. But someone with a bit more knowledge beside ctrl+c ctrl+v will be able to set it up properly.

edit: our current sample code forces VERIFYPEER and VERIFYHOST. Keep this in mind if you run into any SSL handshake errors, as you may need to point to a root cert file copy.

like image 22
Robert Avatar answered Oct 20 '22 19:10

Robert