[wp-trac] [WordPress Trac] #36320: PayPal 2016 merchant security upgrades - Core defaults need to be changed
noreply at wordpress.org
Thu Mar 31 00:08:32 UTC 2016
#36320: PayPal 2016 merchant security upgrades - Core defaults need to be changed
Reporter: reidbusi | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: HTTP API | Version: 4.4.2
Severity: major | Resolution: duplicate
Keywords: | Focuses:
Comment (by rmccue):
Replying to [comment:23 mikejolley]:
> @reidbusi not using constants is kinda hacky. Our code does check
CURL_SSLVERSION_TLSv1 is defined before using it. You could set this
constant to avoid needing to change core.
In cURL-land, it's not terribly hacky, as the constant values are defined
as part of the cURL API. The corresponding integer for TLS negotiation is
`1`, for reference.
Replying to [comment:24 reidbusi]:
> Hacky or not, it is required on Hostgator shared hosting. I suppose I
could define CURL_SSLVERSION_TLSv1_2 (there would be no point in defining
CURL_SSLVERSION_TLSv1 for us, since our servers cannot negotiate a TLS
connection via cURL). I don't see much point in defining
CURL_SSLVERSION_TLSv1_2 in my plugin to use it three lines later either
(I'd need to check if the define exists too). Thanks for the suggestion
When your host says their SSL client code (presumably OpenSSL) doesn't
support SSL negotiation, that sounds to me like it doesn't support
v2/v3/TLS negotiation specifically, however I think it should correctly
support TLS v1 subversion negotiation, based on my reading of the code,
and also as mentioned in the RHEL bug:
> With el6 libcurl, CURL_SSLVERSION_TLSv1_2 means "TLS 1.2 only" whereas
CURL_SSLVERSION_TLSv1 means "TLS 1.x". Both of them are known to work.
Is it possible to try this set to `1` specifically (the value of
`CURL_SSLVERSION_TLSv1` if it existed)? If that fixes the issue, we should
be fine to ship this in core per #34924.
> I still think the right answer is to re-implement TLS 1.2 in php somehow
to remove all external dependencies that we just cannot assume are
present. Nuke it from orbit - it's the only way to be sure.
TLS is mostly not possible in PHP itself without reimplementing something
like OpenSSL in userland, which is just a terrible idea, as it'd mean we
need to maintain crypto code ourselves in WordPress. (I've attempted this
before just to see if it were possible, and it's also extremely hard to
At some point, there are times where we need to say that we don't support
server configurations. If this is one of them, so be it. Let's make sure
we've exhausted all of our options first.
Ticket URL: <https://core.trac.wordpress.org/ticket/36320#comment:25>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac