[wp-trac] [WordPress Trac] #25007: WP_HTTP_Fsockopen does not verify SSL certificates
WordPress Trac
noreply at wordpress.org
Sun Sep 8 02:44:51 UTC 2013
#25007: WP_HTTP_Fsockopen does not verify SSL certificates
------------------------------+------------------
Reporter: rmccue | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.7
Component: HTTP | Version:
Severity: major | Resolution:
Keywords: needs-unit-tests |
------------------------------+------------------
Comment (by dd32):
There are two alternate solutions I can think of instead of the action
taken here
1. Only use our local CA bundle when the systems CA bundle has been proven
not to work - ie. set a transient and disable system CA if
https://api.wordpress.org/ failed to validate
1. Only ship the certificate chain needed for !WordPress.org domains, and
forcibly set the CA file to that when we're requesting one of our own
URL's.
Some downsides exist though:
* If we ship the entire CA chain, but only use it when *.wordpress.org
fails, other requests could pass, or fail, if the systems CA is out of
date. (This could also mean that *.wordpress.org passes because the system
still trusts a compromised CA)
* If we ship only a .org chain, it fixes issues for us mostly, but doesn't
help plugins.
Personally I'm not against !#2 above, but I don't really like fixing
requests ''just'' for us when we could fix everything at once.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25007#comment:24>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list