[wp-trac] [WordPress Trac] #26010: SSL via `WP_Http_Curl` breaks on HTTP version mismatch

WordPress Trac noreply at wordpress.org
Thu Nov 14 22:27:04 UTC 2013 

#26010: SSL via `WP_Http_Curl` breaks on HTTP version mismatch
--------------------------+------------------------------
 Reporter:  soulseekah    |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  HTTP          |     Version:  3.7
 Severity:  minor         |  Resolution:
 Keywords:                |
--------------------------+------------------------------

Comment (by dd32):

 This was caused by a cURL regression in 7.31.0, basically it's impossible
 to tell with 100% certainty from PHP if it was a Network Error, Invalid
 SSL data, injected-from-a-3rd-party SSL data, or, the cURL regression
 which treated a specific SSL error as critical. We can check to see if
 there was data received as you've done, but we can't verify it in all
 circumstances.

 Certain servers violate the TLS protocol (It closes the connection before
 sending the TLS closing handshake, nginx does this in certain cases) which
 causes this error to occur. In the case of nginx, it's only triggered when
 it's a POST request with a body specified.

 cURL 7.30.0, and cURL 7.32.0 do not have this issue, and handle the error
 internally to detect the TLS violation error and ignore it in the right
 circumstances - We can't do that as cURL doesn't expose the right error
 messages for it.

 The breaking change in [25303] is that we handle connection failures
 during receive now, where as before we didn't. This is important in that
 we don't return partial documents as a successful retrieval, previously if
 there was a network error or timeout it was possible to receive only 20%
 of the full document under the right circumstances.

 Ultimately, I think it's best to simply disable HTTPS requests via the
 broken version of cURL (see ticket below) for simplicity and reliability.

 See also: #25716 - WordPress.org had the same trouble
 See also: #25738 - Blacklisting of certain incompatible versions of curl
 (including this one)

--
Ticket URL: <http://core.trac.wordpress.org/ticket/26010#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list