I don't understand this option. What is its purpose?

CURLOPT_SSL_VERIFYHOST checks the server you are communicating with, which is understandable.

But the peer is you - what good is it for you to check that you are who you say you are?

Someone please explain.

    When you connect to a remote server with SSL, their cert might be invalid, expired, or not signed by a recognized CA. I've never used the "verifyhost" option but I often have to set verifypeer = 0 (false) when the remote site is too cheap to buy a real cert for their site.

    And I'm not certain that "peer" means you. When you connect to them, they are your peer - so you are telling curl to check or not check them.

      Well if that were true, what would be the difference between verifyhost and verifypeer?

      Doesn't "you are connecting to them" mean you are their peer.

      Surely, they are the host and you are the peer.

      I can back it up: When my production server installed with an ssl cert connects with a (valid) ssl site there is no error due to verifypeer. If on the otherhand my local test server that is not running an ssl cert tries to connect to a (valid) ssl site, it throws an error if verifypeer is true.

      I've also checked that verifyhost checks the server you are connecting to (by using alternate domains pointing to the same ip).

      So it would appear I am correct about that, but that does not explain the purpose of verifypeer.

      Anyone know the purpose of CURLOPT_SSL_VERIFYHOST?

        Just to add:

        Perhaps both verifyhost and verifypeer both check the server you are trying to connect to (although I think the language is a bit confusing).

        So, verifyhost just checks the details of the cert (Common Name and that it matches the hostname) whereas verifypeer actually checks that the certificate is valid.

        Assuming that is the case...

        My test server (on Windows XP) throws this when verifypeer is true

        60 - SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

        Yet the certificate for the server I am trying to connect to is valid.

        How do I solve this problem (on the linux server this was not a problem - so it is probably windows specific)?

        Thanks

          Figured it out.

          It was as I expected - on windows curl does not know where to look for ca certificates.

          I just added

          curl_setopt($ch, CURLOPT_CAINFO, 'E:\path\to\curl-ca-bundle.crt');

          and it works.

          (curl-ca-bundle.crt comes with cURL - you can download curl and just grab this file - libcurl is included in php so you don't need to install curl if you only want to use curl in php)

          So that confirms it: verifypeer and verifyhost both refer to the server you are trying to connect to.

            Write a Reply...