[wp-trac] [WordPress Trac] #53024: List https functionality health check failures as critical
WordPress Trac
noreply at wordpress.org
Sat Sep 11 13:03:38 UTC 2021
#53024: List https functionality health check failures as critical
-------------------------------------+---------------------
Reporter: peterwilsoncc | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 5.9
Component: Site Health | Version: 5.7
Severity: normal | Resolution:
Keywords: needs-patch needs-codex | Focuses: docs
-------------------------------------+---------------------
Comment (by Clorith):
I've been looking at the HTTPS validation used for these checks (for the
first bullet point, of fine tuning the checks). I wonder if we could
change the `wp_is_https_supported()` function to instead do as @ipstenu
suggested in #52783, and make a HTTPS validation check that doesn't rely
on finding output generated by WordPress, but instead just does a SSL cert
check, and validation, on the URL set as your site URL.
This makes even more sense with headless solutions becoming more likely
with recent strides over the last few years, where WordPress doesn't
handle the output at all, and as Mika mentions, if you've got issues
getting to wp-admin, you'll already have had to cross the hurdle to reach
the Site Health checks.
Fetching the certificate it self was fairly straight forward while playing
around, but relied on `stream_*`, and then parsing it using
`openssl_x509_parse`, but I'm not sure how widely available these function
are, or if it is something hosts generally disable (perhaps @JavierCasares
knows a bit more about this from a host perspective?).
I'm thinking if the function may not exist (it comes with the `openssl`
extension, which is recommended but not required) it may be worthwhile to
skip the test as it can't be reliably ran, but this is just thinking out
loud.
There are also libraries available for validating SSL (see for example
[https://github.com/spatie/ssl-certificate/ spatie/ssl-certificate] as the
first result I got when looking into this), but a simple check for "Does
the site have a valid certificate" wouldn't need more than a call which
then verified the certificate that is returned has the site URL it
requested as part of the DNS entries, and that the current time is within
the certificate lifespan, so relying on a third party library here might
not bring a lot of benefit to the project as a whole. It looks like the
Requests library, which we use in core, has some validation functions, but
I've not looked into how flexible they are for this kind of scenario.
If the tests are made platform agnostic, then we might not need to expand
on the documentation than what already exists at
https://wordpress.org/support/article/why-should-i-use-https/ (which is
generalised into more of a "what does HTTPS doe for me" format)
cc @flixos90 for thoughts on the HTTPS validation changes, as the one
spearheading the efforts there originally.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53024#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list