[wp-trac] [WordPress Trac] #25007: WP_HTTP_Fsockopen does not verify SSL certificates
WordPress Trac
noreply at wordpress.org
Tue Sep 3 10:13:08 UTC 2013
#25007: WP_HTTP_Fsockopen does not verify SSL certificates
--------------------------+------------------
Reporter: rmccue | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.7
Component: HTTP | Version:
Severity: major | Resolution:
Keywords: |
--------------------------+------------------
Comment (by rmccue):
Note that the above patch does not do common name checking, so it's
possible to use MITM attacks as long as you have a valid certificate for
''any'' domain. PHP's built-in checking for this is almost completely
broken, which is why no one does it.
[https://github.com/rmccue/Requests/pull/63 Requests will have support
soon], I just need to add some more tests to assure myself, but no other
general HTTP library does this level of checking.
IMO, it's a bit too vulnerable without that to rely on.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25007#comment:12>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list