[wp-trac] [WordPress Trac] #53024: List https functionality health check failures as critical
WordPress Trac
noreply at wordpress.org
Sun Sep 12 07:42:45 UTC 2021
#53024: List https functionality health check failures as critical
-------------------------------------+---------------------
Reporter: peterwilsoncc | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 5.9
Component: Site Health | Version: 5.7
Severity: normal | Resolution:
Keywords: needs-patch needs-codex | Focuses: docs
-------------------------------------+---------------------
Comment (by JavierCasares):
Some time ago I tried to have a site to check the certificates for my
sites. I used this main function (sorry, some parts in Spanish).
{{{#!php
function CertificadoAnalizar($d, $port = 443) {
$timeout = 1;
$data = [];
$almacenar_metadata = [];
$stream = stream_context_create(array('ssl' => array('capture_peer_cert'
=> true, 'capture_peer_cert_chain' => true, 'verify_peer' => false,
'peer_name' => $d, 'verify_peer_name' => false, 'allow_self_signed' =>
true, 'sni_enabled' => true)));
$read_stream = stream_socket_client('ssl://'.$d.':'.$port, $errno,
$errstr, $timeout, STREAM_CLIENT_CONNECT, $stream);
if($read_stream === false) {
$data['error'] = [$errstr];
} else {
$context = stream_context_get_params($read_stream);
$almacenar_metadata = stream_get_meta_data($read_stream);
$chain_data = $context['options']['ssl']['peer_certificate_chain'];
$chain_length = count($chain_data);
if (isset($chain_data) && $chain_length < 10) {
foreach($chain_data as $key => $value) {
$data['chain'][$key] = $value;
unset($key, $value);
}
} else {
$data['error'] = ['La cadena es muy larga.'];
}
}
unset($stream, $read_stream, $context, $chain_data, $chain_length);
$certificatedata = json_encode('');
$certificate = array();
if(isset($data['error'])) {
$certificate['error'] = 1;
$certificate['errormsg'] = $data['error'];
$certificate['meta'] = $almacenar_metadata;
$certificatedata = json_encode($certificate);
unset($certificate);
} else {
$certificate['error'] = 0;
$certificate['errormsg'] = null;
$certificate['meta'] = $almacenar_metadata;
$counter = 0;
if(count($data['chain']) > 0) {
foreach($data['chain'] as $chain_key => $chain_value) {
$cert_data = openssl_x509_parse($chain_value);
$certificate['cadena'][$counter] = $cert_data;
$counter++;
}
$certificatedata = json_encode($certificate);
} else {
$certificate['error'] = 1;
$certificate['errormsg'] = ['Error procesando el certificado.'];
$certificatedata = json_encode($certificate);
unset($certificate);
}
}
unset($data);
return $certificatedata;
}
$certificado = CertificadoAnalizar($d);
$certificado_data = json_decode($certificado);
}}}
With that you can check if a certificate is valid or not. You can also
configure if it can be self-signed or not and other things.
For me, the test about "can your site use HTTPS?" is:
- check if the 443 port is open
- check if there is a certificate
- what happens if you try to get the site from the HTTPS (cannot be done?
redirection?) In this case, sometimes it will be a good thing and others a
bad thing.
So, 5 possibles choices:
- Everything OK: port 443 open, valid public certificate.
- Yes certificate, self-signed: port 443 open, certificate self-signed.
- Yes certificate, expired: port 443 open, certificate expired.
- No certificate: port 443 open, no certificate (valid, invalid or self-
signed).
- No TCP HTTPS: port 443 close.
- Show a list of options to do, like:
- OK, go on -> ACTUAL BUTTON
- Your certificate is self-signed so, you can change it, but people will
receive a notification in their browser. You should get a public validated
certificate. -> DOC
- Your certificate is expired. Please renew it -> DOC.
- Your hosting allows to have a secure connection but you don't have a
certificate. -> DOC
- Your server does not allow secure connection, please contact your
hosting provider. -> DOC
Does this make sense?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53024#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list