Why does curl failures finding the ssl certificate work intermittently?

Question

I think I have now a good grasp of why you need to either have the ssl certificate bundle when pulling content from a https api like facebook. But my question is: Why does this work sometimes even without the certificate and some others not? Seems to me that libcurl has a way to overcome this problem on its own.

Anybody knows why or how this happens? Anybody had the same experience?

Answer 1

The behavior of cUrl with regards to SSL certificates depends on the CURLOPT_SSL_VERIFYPEER option. Assuming you use PHP, you can use the function curl_setopt to change the value of this option.

I have only superficial knowledge of SSL but it seems that cUrl behaves in the following way: 0 means no checking, 1 checks if the certificate is legit, and 2 checks also checks if the certificate is issued to the correct hostname.

You can 'turn off annoying errors' by setting CURLOPT_SSL_VERIFYPEER to 0, but this means that you cannot be sure that you will have a connection to the correct server, as anyone may spoof the DNS. So doing so is very dangerous.

The official facebook php sdk supplies its own certificate using CURLOPT_CAINFO, but only when curl could not validate the certificate on its own. I do not know why the developers of the facebook sdk would make this conditional; perhaps because reading certificates might be expensive.