[wp-trac] [WordPress Trac] #25007: WP_HTTP_Fsockopen does not verify SSL certificates

WordPress Trac noreply at wordpress.org
Tue Sep 3 10:13:08 UTC 2013


#25007: WP_HTTP_Fsockopen does not verify SSL certificates
--------------------------+------------------
 Reporter:  rmccue        |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  3.7
Component:  HTTP          |     Version:
 Severity:  major         |  Resolution:
 Keywords:                |
--------------------------+------------------

Comment (by rmccue):

 Note that the above patch does not do common name checking, so it's
 possible to use MITM attacks as long as you have a valid certificate for
 ''any'' domain. PHP's built-in checking for this is almost completely
 broken, which is why no one does it.
 [https://github.com/rmccue/Requests/pull/63 Requests will have support
 soon], I just need to add some more tests to assure myself, but no other
 general HTTP library does this level of checking.

 IMO, it's a bit too vulnerable without that to rely on.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25007#comment:12>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list