[wp-trac] [WordPress Trac] #34794: CURLOPT_SSL_VERIFYHOST should be set to 2 or not be set at all

Fri Nov 27 10:42:35 UTC 2015

#34794: CURLOPT_SSL_VERIFYHOST should be set to 2 or not be set at all
--------------------------+-----------------------------
 Reporter:  FriendlyGreg  |       Owner:  johnbillion
     Type:  defect (bug)  |      Status:  reviewing
 Priority:  normal        |   Milestone:  Future Release
Component:  HTTP API      |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |     Focuses:
--------------------------+-----------------------------
Changes (by FriendlyGreg):

 * keywords:  needs-patch reporter-feedback => needs-patch

Comment:

 Yes, I've confirmed that setting {{{CURLOPT_SSL_VERIFYHOST}}} to {{{0}}}
 causes the same behaviour. As I understand it,
 {{{CURLOPT_SSL_VERIFYHOST}}} does not support any values except for 2: the
 docs indicate that support for value 1 was removed in cURL 7.28.1, and
 they make no mention of either 0 or false as an acceptable value. I take
 this to mean that the correct way of setting up curl is not to set
 {{{CURLOPT_SSL_VERIFYHOST}}} at all unless you want the default (and only)
 value of 2.

 In other words, if I understand correctly, it's not that the default
 behaviour for a fresh cURL is for {{{CURLOPT_SSL_VERIFYHOST}}} to be set,
 with a value of 2; it's that the default behaviour for cURL is for
 {{{CURLOPT_SSL_VERIFYHOST}}} to be switched off completely. Only when we
 do set it does its default value of 2 come into play.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34794#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform