[wp-trac] [WordPress Trac] #34794: CURLOPT_SSL_VERIFYHOST should be set to 2 or not be set at all

Thu Nov 26 13:20:01 UTC 2015

#34794: CURLOPT_SSL_VERIFYHOST should be set to 2 or not be set at all
--------------------------+-----------------------------
 Reporter:  FriendlyGreg  |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  HTTP API      |    Version:  4.3
 Severity:  normal        |   Keywords:
  Focuses:  performance   |
--------------------------+-----------------------------
 This is a follow-up to #16904.

 In the case of a local connection (e.g., for cron) to an instance of OS X
 Server 5 running with RC4 support shut off in the Server's proxy's cipher
 suites, setting {{{CURLOPT_SSL_VERIFYHOST}}} ''at all'' will cause cause
 {{{WP_Http_Curl}}} to return {{{WP_Error}}} with {{{SSLRead() return error
 -9841}}}. While this impacts OS X in a particularly disruptive way
 regardless of certificate trust, it may also impact other platforms when
 using self-signed certificates.

 When making local connections, with {{{$ssl_verify}}} at {{{false}}},
 {{{CURLOPT_SSL_VERIFYHOST}}} should not be set at all, rather than being
 set to {{{false}}}. (Note that {{{CURLOPT_SSL_VERIFYHOST}}} accepts only
 ''integer'' values, so {{{false}}} is not a valid option anyway.) Applying
 the same check used in 4.4 (#33978) to fix the incorrect setting of
 {{{CURLOPT_CAINFO}}} in 4.3:

 {{{#!php
 <?php
         if ( $ssl_verify ) {
                 curl_setopt( $handle, CURLOPT_SSL_VERIFYHOST, 2 );
         }
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34794>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform