[wp-trac] [WordPress Trac] #28630: wordpress "check for updates" fails silently behind proxy server with https POST 501 Error

WordPress Trac noreply at wordpress.org
Wed Jun 25 14:58:26 UTC 2014 

#28630: wordpress "check for updates" fails silently behind proxy server with https
POST 501 Error
--------------------------+-----------------------------
 Reporter:  manikb        |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 I was running wordpress 3.8.1 on a webserver inside a LAN where wordpress
 needs to use a proxy to access the web. This is taken care of by defining
 WP_PROXY_HOST and WP_PROXY_PORT in wp-config.php, so Wordpress and plugins
 worked correctly.

 When checking the dashboard for updates, Wordpress and all plugins were
 always shown as up-to-date even as WP 3.9 and 3.9.1 were out.
 I checked the network traffic when forcing an update check, and it turns
 out that in wp-includes/update.php, if ssl is available, the url used to
 check for updates is transformed from http url to https url. This happens
 in three places, e.g. :

 {{{
 $url = $http_url = 'http://api.wordpress.org/themes/update-check/1.1/';
 if ( $ssl = wp_http_supports( array( 'ssl' ) ) )
                 $url = set_url_scheme( $url, 'https' );
 }}}

 Thus a HTTPS POST request is sent, and the proxy we have here (Squid)
 answers with an error 501 “Unsupported Request Method and Protocol”

 It seems HTTP GET and POST works, I know HTTPS GET works with the proxy,
 but not HTTPS POST from WP.

 After that, WP display that everything is up-to-date, no error message,
 even with WP_DEBUG set to true.

 I commented the lines that switch to ssl if it is available, and
 everything worked fine : the updates were detected and installed with no
 further problem.
 Unfortunately my 'fix' isn't one as I will have to do it again after each
 WP update.

 Fixing this:
 - At the minimum : If the update check fails (error 501 here) WP should
 NOT say there is no update, but display an error message to let the user
 know there may be updates available but that it could not check for it
 (displaying the error itself would be even better).
 - Better :
   Maybe this is due to the way WP connects to the server using the proxy,
 as SQUID should work with HTTPS POST (at least it does from my browser).
 It seems a similar problem is described in
 [http://www.perlmonks.org/?node_id=78114] and is due to the connection :
 apparently it should be : ''create TCP connection to proxy, send "CONNECT
 xyz\r\n", and only then establish SSL connection.''. If this can be fixed
 in proxy support for https (not sure this is the problem), that's the best
 solution.

 - fast and unsecure fix: There could be a way (a wp-config var ?) to
 disable SSL when checking for updates but there are security implications
 as I assume SSL is used to confirm that the server is getting the updates
 from a legitimate WP server.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/28630>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list