WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#33978 closed defect (bug) (fixed)

Don't set CURLOPT_CAINFO if sslverify is false

Reported by: johnbillion Owned by: johnbillion
Milestone: 4.4 Priority: normal
Severity: normal Version:
Component: HTTP API Keywords: has-patch
Focuses: Cc:
PR Number:

Description

On OS X Yosemite and later, PHP can be compiled with a version of cURL that uses SecureTransport instead of OpenSSL. SecureTransport suffers from a bug whereby passing it a CA bundle but asking it not to verify the server's certificate causes the connection to fail with the following error:

SSL: CA certificate set, but certificate verification is disabled

In this situation, an https request through the HTTP API will fail if sslverify is set to false, because the sslcertificates argument is always populated with core's CA bundle.

This is fixed by not setting the CURLOPT_CAINFO setting when sslverify is false, which makes sense regardless of this bug.

Further reading:

Attachments (1)

33978.patch (2.9 KB) - added by johnbillion 4 years ago.

Download all attachments as: .zip

Change History (5)

@johnbillion
4 years ago

#1 @johnbillion
4 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 4.4

33978.patch is a patch with a test, although the test has limited use because the bug only affects the particular environment described above.

#2 @wonderboymusic
4 years ago

  • Owner set to johnbillion
  • Status changed from new to assigned

#3 @johnbillion
4 years ago

In 34638:

Introduce WP_UnitTestCase::assertNotWPError() for when a test needs to assert that something is, well, not a WP_Error.

See #33978

#4 @johnbillion
4 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 34639:

Don't set CURLOPT_CAINFO when sslverify is false when sending HTTP API requests through cURL. This avoids sending redundant information to cURL, and avoids a bug in Apple's SecureTransport library which causes a request to fail when a CA bundle is set but certificate verification is disabled.

This fixes issues with local HTTPS requests (eg. WP Cron) on OS X where cURL is using SecureTransport instead of OpenSSL.

Fixes #33978

Note: See TracTickets for help on using tickets.