[wp-trac] [WordPress Trac] #36320: PayPal 2016 merchant security upgrades - Core defaults need to be changed

WordPress Trac noreply at wordpress.org
Wed Mar 30 07:04:47 UTC 2016

#36320: PayPal 2016 merchant security upgrades - Core defaults need to be changed
 Reporter:  reidbusi      |       Owner:
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  HTTP API      |     Version:  4.4.2
 Severity:  major         |  Resolution:  duplicate
 Keywords:                |     Focuses:

Comment (by rmccue):

 Replying to [comment:14 reidbusi]:
 > PHP "streams" should be used before curl. External dependencies are bad,
 this is an example of why.

 This is not necessarily a broadly-applicable change, unfortunately. The
 streams transport uses PHP's built-in version of OpenSSL that it was
 compiled with, which also has the ability to be broken (in separate and
 only semi-related ways). cURL in addition tends to have better performance
 characteristics and more solid handling of edge cases, as it's a very
 mature project.

 I understand your frustration with this issue, but the problem is nuanced
 and we need to consider the side effects of making a change like this.
 Changing the default from cURL to streams may break unrelated things, and
 may not fix the core issue (TLS negotiation) depending on the PHP install

 The core issue here appears to be that cURL's TLS negotiation isn't
 behaving as expected, which is why #34924 has been suggested as the fix.
 This is a much smaller change with less potential side-effects than
 switching the HTTP transport.

 I'm investigating exactly why the TLS negotiation is failing, but please
 bear with us. We don't want WP to be broken any more than you do, but we
 don't want to break other things in the process of fixing this.

Ticket URL: <https://core.trac.wordpress.org/ticket/36320#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list