PayPal cURL选项（CURLOPT_SSL_VERIFYPEER和CURLOPT_SSL_VERIFYHOST）问题

Question

I've got a piece of code from the PayPal site:

// turning off the server and peer verification(TrustManager Concept).
// really paypal??? why not just include a recent cert???
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);

As you can see in my comment I'm wondering why on earth paypal would disable those options.

I know (from previous headaches :) ) that on Windows cURL uses an outdated certs file.

But I have a newer certs file on my server which I could just use:

curl_setopt($ch, CURLOPT_CAINFO, 'E:\path\to\curl-ca-bundle.crt');

So why would PayPal 'recommend' disabling it if all it takes is use another (newer) certs file.

Wouldn't that be safer?

Or am I missing something (I'm pretty sure PayPal has enough money for a valid certificate :p )?

Answer 1

Yes, it would be much safer to make sure clients use an updated CA cert bundle. (Which this question is about, they already have a certificate.)

Answer 2

One reason could be that it prevents support headaches, with people running the script on their $1 / year shared hosting boxes, running into issues, etc.
Best practice? No. But someone with a bit more knowledge beside ctrl+c ctrl+v will be able to set it up properly.

edit: our current sample code forces VERIFYPEER and VERIFYHOST. Keep this in mind if you run into any SSL handshake errors, as you may need to point to a root cert file copy.