One year ago, searching for "CURLOPT_SSL_VERIFYPEER, 0” gave me 153k hits on GitHub and I blogged about the sorry state of TLS certificate verification in code.

@bagder Is there any good way to avoid this with embedded devices?

We build and sell those, and we don't know in advance what the DNS name or the IP address at the installation site will be. And quite frankly, most customers don't bother rolling out proper certificates even in production.

So we ship the device with a demo certificate, and all our SDK libraries have the option to disable certificate verification. Unverified TLS is still better than plain HTTP because it prevents passive snooping.