Dangerous Option

[StormTide]

https://github.com/Yubico/php-yubico/blob/master/Yubico.php#L331 and the httpsverify option.

This option should be removed. Theres never a time you could safely disable peer verification. Correct fix for validation/self-signed issues is to apply a cainfo/cabundle rather than disable peer verification.

[AngeloR]

Agreed, in production there is never a time when you should be disabling peer verification. But I don't see the issue of having the option for a dev env, and defaulting to having the httpsverify turned on.

[StormTide]

If you want to configure a testing cert in development, you should provide a cainfo/cafile to validate against. However, this always talks to a real server anyway, so shouldnt be failing ssl validation unless the server is broken (ie doesnt have a bundle)... Code like this tends to get left on, and configured in production. Hence its a dangerous option to leave in.