[wp-trac] [WordPress Trac] #34924: Network upgrade fails on tls 1.2 only servers

WordPress Trac noreply at wordpress.org
Wed Dec 9 20:44:14 UTC 2015 

#34924: Network upgrade fails on tls 1.2 only servers
--------------------------+------------------------------
 Reporter:  mensmaximus   |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  HTTP API      |     Version:  4.4
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:  multisite
--------------------------+------------------------------

Comment (by mensmaximus):

 Hi @jeremyfelt, thank you for the follow up.

 The main issue is that although cURL 7.29 on Centos and probably RedHat do
 support TLSv1.2 it does not auto-negotiate. Setting CURLOPT_SSLVERSION to
 CURL_SSLVERSION_TLSv1 solves the issue. It is great to know there is a
 filter and I will use it for the future. Thanks for that.

 However most Multisite users will struggle in the first place if they come
 across an error telling "TCP connection reset by peer". I help a lot at
 wpde.org and I see questions about error messages a lot.

 In my tests Firefox did not choose TLSv1.2 if the server is set to
 "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" and "ssl http2". Maybe a bug in FF
 42.

 Yes this is a cURL issue and not something related to WordPress. Anyway
 helping making the web more secure should be our goal. There are thousands
 of recommendations to stop using SSLv2 and SSLv3. From my point of view it
 would not hurt if WordPress HTTP API would operate with TLS by default
 setting CURLOPT_SSLVERSION to CURL_SSLVERSION_TLSv1 because it will auto-
 negotiate between all available TLS versions and choose the highest
 available. In addition from cURL 7.39 on SSLv3 is disabled by default.

 Setting TLS in CORE explicitly would help to avoid irritations and to make
 connections more secure because the HTTP API deals with remote connections
 as well. Using the filter to "tighten" security seems odd. Having the
 filter to provide a fallback for SSL makes perfect sense for me.

 Maybe a discussion on slack is more appropriate than me spaming trac :-)

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34924#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list