If cURL is not installed, HTTPS seems to be silently done using fsockopen, which does not check SSL certificates. IMHO, this should not happen automatically - if a user wants it to work in the insecure way (because curl is unavailable), the user should be required to set the manual override.
Additionally, the Auth_OpenID_VERIFY_HOST constant seems to be read but neither set nor documented anywhere. Thus, it seems that CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST are never set by default. This would only be insecure with cURL versions before 7.10, and I do not know if any PHP5 was ever shipped with such an old version. However, in the current form, the code around Auth_OpenID_VERIFY_HOST makes little sense - either it should be enabled by default (or at least documented) to cover old cURL versions, or it can be removed if cURL >= 7.10 is assumed as it would only set the cURL defaults again. See also Issue #38 which suggests making it possible to override the defaults by setting VERIFY_HOST to false.