[wp-trac] [WordPress Trac] #36320: PayPal 2016 merchant security upgrades - Core defaults need to be changed
WordPress Trac
noreply at wordpress.org
Thu Mar 24 17:43:19 UTC 2016
#36320: PayPal 2016 merchant security upgrades - Core defaults need to be changed
--------------------------+------------------------
Reporter: reidbusi | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: General | Version: 4.4.2
Severity: normal | Resolution: duplicate
Keywords: | Focuses:
--------------------------+------------------------
Comment (by reidbusi):
Sorry Mike, but you are just wrong in this case.
"CURL_SSLVERSION_TLSv1_0 (4), CURL_SSLVERSION_TLSv1_1 (5) or
CURL_SSLVERSION_TLSv1_2 (6) only work for PHP versions using curl 7.34 or
newer."
http://php.net/manual/en/function.curl-setopt.php
So my host can disable old protocols all they like, unless they upgrade
curl and php to use a later version of curl/libcurl, it is not going to to
work (as dd32 implied). My host is currently using curl 7.19.7. So they
would need to update curl and php, and once they do they still cannot
disable old protocols because that may break other applications on their
many thousands of hosting accounts. There are other things running on
servers besides WooCommerce/WordPress.
I have found a likely solution however (appears to be working for me), and
since I am feeling generous (smug, more accurately), it looks like this:
{{{#!php
<?php
function rbst_http_api_transports() {
return array( 'streams', 'curl' );
}
add_filter( 'http_api_transports', 'rbst_http_api_transports', 9999 );
}}}
Which should be the default transport order anyway. So somebody should fix
that. I will not bother to release a plugin with only this in it, I will
just slap it on our sites and watch for a WP or Woo changelog mention of
the issue.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36320#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list