Normally, when you connect with a secure server to browse a secured site, the server presents you with a certificate, signed by a CA, that says I am https://www.paypal.com. Now with CURLOPT_SSL_VERIFYHOST enabled, libcurl verifies whether the certificate that server presented does actually indicate that it belongs to https://www.paypal.com. If certificate doesn’t certify that the server’s identity to be https://www.paypal.com, the connection fails.

So far so good, but what if certificate itself is fake? CURLOPT_SSL_VERIFYPEER comes in handy. It verifies the authenticity of the certificate itself, against a set of CA certificates that libcurl holds. Some CA certificates come by default bundled with libcurl and some do not. When CURLOPT_SSL_VERIFYPEER is enabled and the server presents the libcurl with a certificate that it doesn’t recognize, connection fails.

Now how do u get around this. Either stop being paranoid and be content just with CURLOPT_SSL_VERIFYHOST . Else install additional certificates in your system and specify those certificates in a curl session with CURLOPT_CAINFO or CURLOPT_CAPATH.

In a nutshell, CURLOPT_SSL_VERIFYPEER authenticates the certificates and CURLOPT_SSL_VERIFYHOST authenticates the host. May be this helps.