[wp-trac] [WordPress Trac] #25007: WP_HTTP_Fsockopen does not verify SSL certificates

WordPress Trac noreply at wordpress.org
Tue Sep 3 08:56:40 UTC 2013 

#25007: WP_HTTP_Fsockopen does not verify SSL certificates
--------------------------+------------------
 Reporter:  rmccue        |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  3.7
Component:  HTTP          |     Version:
 Severity:  major         |  Resolution:
 Keywords:                |
--------------------------+------------------

Comment (by dd32):

 > Attachment attachment:25007.2.diff​ added

 Final run through:
  * Switches from using fsockopen to stream_socket_client - Some hosts
 appear to block the latter function, however appear to block fsockopen
 too.
  * Renames the Fsockopen class to WP_HTTP_Streams, and removes the old
 Streams class - Yes, this brings us down to TWO transports, cURL and
 Streams (For those keeping tabs at home, WP_HTTP originally started with
 FIVE, PHP HTTP Extension, cURL, PHP4 fopen(), PHP5 Streams, and
 fsockopen()).
  * Bundles a root CA file with WordPress so that hosts without a valid SSL
 certificate bundle can make outgoing HTTPS requests (We'll need to keep
 this updated in the future, probably a grunt task to rebuild it)
  * Enforces SSL certificate validation, self-signed certificates are a no-
 go unless the caller specifies that the certificate doesn't need
 verification
  * Keeps a WP_HTTP_fsockopen class around as a compatibility layer, it
 simply extends the new Streams class, just for anyone who was using it
 directly (Plugins do things like this)
  * When WP_DEBUG is enabled, the errors that stream_socket_client() make
 is a bit more verbose than the previous errors, this was because
 fsockopen() and fopen() were both disabling error reporting to a degree.
 No warnings visible when WP_DEBUG is disabled

 This patch should also fix #16606, and, #13841

 Needs testing, Passes all unit tests, works fine when the local SSL bundle
 is malformed or removed

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25007#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list