This is probably the wrong place to get into the details of certificate verification, and I am not sure I understand all of it so this answer going to focus on the wordpress API.
The issue with certificate verification is that you need a list of root certificates of the issuer companies in order to verify a specific cert. That list changes and therefor servers need to be updates with the info. Obviously supporting “browser like functionality” is not one of the main things that server admins think of, and your software might end on a server in which it is not defined at all, or just being stale info.
Otto’s answer details how wordpress core handles it, and it does it by providing its on bundle of root certs, and it is used by default by the wordpress http API (checked for 4.4, not sure when it is started). Still your plugin might be installed on earlier version which contains stale info (at this point in time, just a week or so before 4.5 is launched only about 50% of wordpress sites run 4.4).
So what can you do?
-
easy option: Let the user decide. In the end it is his call how secure he wants his site to be. It might be that he can’t or doesn’t want to do the effort of updating his root certs.
-
Supply your own root certificates with the plugin. This way you can push updates whenever the root certificates need to update. The relevant core api that handles it is WP_HTTP::request with the
sslcertificates
parameter in the $args parameter. Higher level HTTP API function probably pass that parameter in one way or another to it.