Why we need CURLOPT_SSL_VERIFYPEER in windows

This cURL man page on SSL Certificates describes the process for Certificate Verification when connecting to SSL/TLS secured hosts.

The reason you are needing to set CURLOPT_SSL_VERIFYPEER to false on Windows is because the CA bundle it uses to verify the certificates is missing (or there is no default path compiled into cURL so you need to explicitly define it).

You can configure it in php.ini using the curl.cainfo directive, or specify it at runtime using:

curl_setopt($curl, CURLOPT_CAFILE, 'C:/path/to/ca-bundle.crt');

If you don't have a copy, grab a recent one here.

While disabling peer verification is a workaround, this can be unsafe because you're disabling the very check that ensures you are securely communicating with the site you think you are.

Anyone can generate a self signed certificate to impersonate a domain, but browsers or clients (like cURL) will fail if the certificate can't be verified unless you ignore or bypass this check (i.e. CURLOPT_SSL_VERIFYPEER = false).

Drew010's answer is correct. I'd just add that there problem you're experiencing isn't so much a Windows v Linux issue as much as it is that the two environments differ. You could encounter the same difference between two Linux environments (where I encountered this exact issue), with the roles reversed (works in Windows but not in Linux), etc.