Menu
I've got a piece of code from the PayPal site:
// turning off the server and peer verification(TrustManager Concept).
// really paypal??? why not just include a recent cert???
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
As you can see in my comment I'm wondering why on earth paypal would disable those options.
I know (from previous headaches :) ) that on Windows cURL uses an outdated certs file.
But I have a newer certs file on my server which I could just use:
curl_setopt($ch, CURLOPT_CAINFO, 'E:\path\to\curl-ca-bundle.crt');
So why would PayPal 'recommend' disabling it if all it takes is use another (newer) certs file.
Wouldn't that be safer?
Or am I missing something (I'm pretty sure PayPal has enough money for a valid certificate :p )?
259
Yes, it would be much safer to make sure clients use an updated CA cert bundle. (Which this question is about, they already have a certificate.)
52
One reason could be that it prevents support headaches, with people running the script on their $1 / year shared hosting boxes, running into issues, etc.
Best practice? No. But someone with a bit more knowledge beside ctrl+c ctrl+v will be able to set it up properly.
edit: our current sample code forces VERIFYPEER and VERIFYHOST. Keep this in mind if you run into any SSL handshake errors, as you may need to point to a root cert file copy.
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
