[wp-trac] [WordPress Trac] #25738: WP_HTTP uses transports that incorrectly claim to support a request
WordPress Trac
noreply at wordpress.org
Fri Nov 15 06:40:18 UTC 2013
#25738: WP_HTTP uses transports that incorrectly claim to support a request
--------------------------+------------------
Reporter: dd32 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.8
Component: HTTP | Version:
Severity: normal | Resolution:
Keywords: |
--------------------------+------------------
Comment (by dd32):
> Blacklisting this single version seems fine, but only if there are other
options. If streams are not available, 7.31.0 (with SSL) will still
probably work, which is better than failing altogether perhaps. This might
be too complicated to check for in reality.
It'll succeed against most Apache servers, and a few others, but fail
against a bunch of others.
Most Plugins need to be written with the fact that not all servers can
perform SSL connections reliably anyway, so blocking HTTPS connections via
cURL on a host with a known bad version and letting it fallback to
Streams+OpenSSL is a better option.
If OpenSSL isn't available for Streams on that server, they're out of luck
and the plugin will have to resort to HTTP.
The tough part about blacklisting cURL 7.31.0 and cURL+GnuTLS (which both
have the same issue) is that both of these can now communicate with
api.wordpress.org securely, but if we block these, and the host doesn't
have OpenSSL installed then they'll be left out in the cold with manual
updates (Background Updates require HTTPS).
So it's a balance between core functionality and more reliable requests
for plugins.
One alternative is that we only blacklist those 2 conditions when we can
otherwise probably successfully make a connection with Streams:
[attachment:25738.2.diff],
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25738#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list