CURLOPT_SSL_VERIFY

When writing code that accesses remote content via HTTPS it is important that all verification be left on, otherwise the protections that HTTPS affords become easy to compromise. The compromise will be invisible, too, with the code sending (or receiving) data to a different server without your knowledge.

This can have broad legal implications including violating PCI compliance requirements with your credit card processor.

cURL provides two separate settings which are both critical to secure HTTPS communications: CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER.

Here are the specific problems with disabling each of these:

  • By setting CURLOPT_SSL_VERIFYHOST to anything other than 2 (the default) you are disabling verification that the remote server's name matches the certificate it is sending to you.
     
  • By setting CURLOPT_SSL_VERIFYPEER to anything other than TRUE (or 1) you are disabling verification of the server's certificate itself.  This means that the certificate the remote server is presenting to you can be of any origin (ie; created themselves), and not from a Certificate Authority that you trust.

Disabling one or both of the above verification parameters means the remote server could be an entirely different server than the one you are intending to communicate with.  It allows a malicious party a broad latitude of attack windows in which to silently intercept your communications and in turn the data you're sending.

Again the worst part about disabling these checks is you'd never know if any of the conditions above occurred, you'd simply have leaked data to (or trusted data from) an unknown source.  If your curl() call was exchanging sensitive information such as credit card information, passwords, or authentication tokens this can be a big problem.  It can also lay the groundwork for a more sophisticated attack on your application later.

There are no valid reasons for disabling either of these checks in production and doing so can be a violation of state and/or federal law depending on the content being transfered.  If SSL verification is preventing an application from working the underlying issue needs to be fixed.  Contact A-Team Systems if you need help resolving the issue.