To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it’s essential to make sure the server presents the right
certificate.
The certificate’s hostname-specific data should match the server hostname.
It’s not recommended to re-invent the wheel by implementing custom hostname verification.
TLS/SSL libraries provide built-in hostname verification functions that should be used.
Noncompliant Code Example
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE); // Noncompliant
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); // Noncompliant
Compliant Solution
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2); // Compliant; default value is 2 to "check the existence of a common name and also verify that it matches the hostname provided" according to PHP's documentation
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, TRUE); // Compliant: starting from 7.66.0: treats 1 and 2 the same (https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html)
See