[wp-trac] [WordPress Trac] #36320: PayPal 2016 merchant security upgrades - Core defaults need to be changed

WordPress Trac noreply at wordpress.org
Wed Mar 30 17:58:35 UTC 2016 

#36320: PayPal 2016 merchant security upgrades - Core defaults need to be changed
--------------------------+------------------------
 Reporter:  reidbusi      |       Owner:
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  HTTP API      |     Version:  4.4.2
 Severity:  major         |  Resolution:  duplicate
 Keywords:                |     Focuses:
--------------------------+------------------------

Comment (by reidbusi):

 Replying to [comment:23 mikejolley]:
 > @reidbusi not using constants is kinda hacky. Our code does check
 CURL_SSLVERSION_TLSv1 is defined before using it. You could set this
 constant to avoid needing to change core.

 Hacky or not, it is required on Hostgator shared hosting. I suppose I
 could define CURL_SSLVERSION_TLSv1_2 (there would be no point in defining
 CURL_SSLVERSION_TLSv1 for us, since our servers cannot negotiate a TLS
 connection via cURL). I don't see much point in defining
 CURL_SSLVERSION_TLSv1_2 in my plugin to use it three lines later either
 (I'd need to check if the define exists too). Thanks for the suggestion
 anyway.

 Based on this, I guess I will have to publish my plugin for the thousands
 of other WooCommerce users on Hostgator shared hosting so that they can
 still use Paypal.

 I still think the right answer is to re-implement TLS 1.2 in php somehow
 to remove all external dependencies that we just cannot assume are
 present. Nuke it from orbit - it's the only way to be sure.

 Or maybe it's time to try to make Paypal do this work, nobody is paying me
 to do it. If they want it, they can make it happen. They should at least
 know about this huge problem. They have lots of people on staff who are
 paid to work on such things. They can contribute to CentOS and get it
 done. Or re-implement TLS 1.2 in php (or maybe wordpress could include a
 perl module to do it?).

 Me, I'm still working on completely unrelated website content for a paying
 client...

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36320#comment:24>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list