[wp-hackers] securing API calls from a plugin with ssl

Michael D Adams mda at blogwaffe.com
Tue Jun 28 23:14:43 UTC 2011

On Tue, Jun 28, 2011 at 3:32 PM, msacks <ntwrkd at gmail.com> wrote:
> Hi List,
> I am wondering if there is a recommended way to secure an outbound API call
> one of my plugins needs to make using SSL?
> Will this create any extra dependencies on my users installing the plugin?
> If so, what?

Making outgoing SSL requests on random hosts is a huge pain :)  It
works almost everywhere, but spectacularly fails on some (bad) hosts.

WordPress 3.2 (currently in RC3, with the real release coming soon)
reduces the pain significantly with the wp_http_supports() function
[1].  With it, you can tell if the host can *probably* make outgoing
SSL requests.  It's up to you to decide if you should continue over
HTTP if there's no support.

That function won't help detect the case where the host has all the
right software in place (openSSL, etc.) but has no certificate
authority file on hand to verify the SSL certificate of the host
you're connecting to.  You'll have to trap those errors manually by
examining the WP_Error objects that get returned by wp_remote_*().  If
you see those errors, it's up to you to decide if you should resend
the request with sslverify set to false.


[1] http://core.trac.wordpress.org/ticket/17251#comment:10

More information about the wp-hackers mailing list