I think I have now a good grasp of why you need to either have the ssl certificate bundle when pulling content from a https api like facebook. But my question is: Why does this work sometimes even without the certificate and some others not? Seems to me that libcurl has a way to overcome this problem on its own.
Anybody knows why or how this happens? Anybody had the same experience?
The behavior of cUrl with regards to SSL certificates depends on the CURLOPT_SSL_VERIFYPEER option. Assuming you use PHP, you can use the function curl_setopt to change the value of this option.
I have only superficial knowledge of SSL but it seems that cUrl behaves in the following way: 0 means no checking, 1 checks if the certificate is legit, and 2 checks also checks if the certificate is issued to the correct hostname.
You can 'turn off annoying errors' by setting CURLOPT_SSL_VERIFYPEER to 0, but this means that you cannot be sure that you will have a connection to the correct server, as anyone may spoof the DNS. So doing so is very dangerous.
The official facebook php sdk supplies its own certificate using CURLOPT_CAINFO, but only when curl could not validate the certificate on its own. I do not know why the developers of the facebook sdk would make this conditional; perhaps because reading certificates might be expensive.