[wp-trac] [WordPress Trac] #34794: CURLOPT_SSL_VERIFYHOST should be set to 2 or not be set at all

WordPress Trac noreply at wordpress.org
Mon Nov 30 03:03:42 UTC 2015 

#34794: CURLOPT_SSL_VERIFYHOST should be set to 2 or not be set at all
--------------------------+-----------------------------
 Reporter:  FriendlyGreg  |       Owner:  johnbillion
     Type:  defect (bug)  |      Status:  reviewing
 Priority:  normal        |   Milestone:  Future Release
Component:  HTTP API      |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |     Focuses:
--------------------------+-----------------------------

Comment (by rmccue):

 `false` is an acceptable value for this option, and there's
 [https://github.com/php/php-
 src/blob/250938e2d35fc54161a18167b7901c5e3b574371/ext/curl/tests/bug63363.phpt
 a test that verifies this]. The cURL extension in PHP
 [https://github.com/php/php-
 src/blob/250938e2d35fc54161a18167b7901c5e3b574371/ext/curl/interface.c#L2022-L2032
 checks only] for `1`/`false`, and other values are passed through to cURL
 directly (as the `long` value).

 From checking the cURL source, I'm not sure the description here matches
 the actual behaviour. As far as I can tell,
 [https://github.com/bagder/curl/blob/4f037367ed69b77e14953fe88d8c0497782c0aab/lib/vtls/darwinssl.c#L1278-L1323
 peer verification] and
 [https://github.com/bagder/curl/blob/4f037367ed69b77e14953fe88d8c0497782c0aab/lib/vtls/darwinssl.c#L1340-L1360
 host verification] are completely separate.

 The
 [https://github.com/bagder/curl/blob/40c349ada92865faadd0de92fa5dc0d50ba67eb3/lib/url.c#L543-L548
 default value] for both peer and host verification is `2` (`true`
 [https://github.com/bagder/curl/blob/40c349ada92865faadd0de92fa5dc0d50ba67eb3/lib/url.c#L2024-L2027
 internally though]), so we do need to disable it if verification is turned
 off.

 Per
 [https://developer.apple.com/library/mac/documentation/Security/Reference/secureTransportRef/#//apple_ref/c/econst/errSSLServerAuthCompleted
 Apple's docs], the returned error code just means the certificate was
 ignored, so this looks like it might actually be a cURL issue in the
 DarwinSSL layer.

 What's the exact OSX version (10.10 or 10.11, presumably)? Did you compile
 cURL/PHP yourself, or are you using a pre-built version?

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34794#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list