[wp-trac] [WordPress Trac] #25007: WP_HTTP_Fsockopen does not verify SSL certificates

WordPress Trac noreply at wordpress.org
Sun Sep 8 03:16:08 UTC 2013

#25007: WP_HTTP_Fsockopen does not verify SSL certificates
 Reporter:  rmccue            |       Owner:
     Type:  defect (bug)      |      Status:  new
 Priority:  normal            |   Milestone:  3.7
Component:  HTTP              |     Version:
 Severity:  major             |  Resolution:
 Keywords:  needs-unit-tests  |

Comment (by rmccue):

 Replying to [comment:24 dd32]:
 > 1. Only use our local CA bundle when the systems CA bundle has been
 proven not to work - ie. set a transient and disable system CA if
 https://api.wordpress.org/ failed to validate

 I don't like this at all, since it relies on a third party (which happens
 to be us anyway, but still) having valid certificates.

 I'm definitely in favour of having this in a plugin. I think the solution
 here is:

 1. Ensure trunk is kept up to date
 1. Include the latest cacert with a plugin like Hotfix and use that as the
 default if installed.

 I've split the certificate pinning issue (point 2 from above) into #25252.

Ticket URL: <http://core.trac.wordpress.org/ticket/25007#comment:26>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list