[wp-trac] [WordPress Trac] #36320: PayPal 2016 merchant security upgrades - Core defaults need to be changed
WordPress Trac
noreply at wordpress.org
Wed Mar 30 07:04:47 UTC 2016
#36320: PayPal 2016 merchant security upgrades - Core defaults need to be changed
--------------------------+------------------------
Reporter: reidbusi | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: HTTP API | Version: 4.4.2
Severity: major | Resolution: duplicate
Keywords: | Focuses:
--------------------------+------------------------
Comment (by rmccue):
Replying to [comment:14 reidbusi]:
> PHP "streams" should be used before curl. External dependencies are bad,
this is an example of why.
This is not necessarily a broadly-applicable change, unfortunately. The
streams transport uses PHP's built-in version of OpenSSL that it was
compiled with, which also has the ability to be broken (in separate and
only semi-related ways). cURL in addition tends to have better performance
characteristics and more solid handling of edge cases, as it's a very
mature project.
I understand your frustration with this issue, but the problem is nuanced
and we need to consider the side effects of making a change like this.
Changing the default from cURL to streams may break unrelated things, and
may not fix the core issue (TLS negotiation) depending on the PHP install
configuration.
The core issue here appears to be that cURL's TLS negotiation isn't
behaving as expected, which is why #34924 has been suggested as the fix.
This is a much smaller change with less potential side-effects than
switching the HTTP transport.
I'm investigating exactly why the TLS negotiation is failing, but please
bear with us. We don't want WP to be broken any more than you do, but we
don't want to break other things in the process of fixing this.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36320#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list