Make WordPress Core

Opened 9 years ago

Closed 8 years ago

#34381 closed defect (bug) (duplicate)

verify_peer_name should be set for stream_context_create()

Reported by: nosilver4u's profile nosilver4u Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: HTTP API Keywords: needs-patch needs-testing
Focuses: Cc:

Description

PHP 5.6.0 introduces a new context option for the ssl stream wrapper: verify_peer_name. It should be set to match the value of verify_peer ($ssl_verify), so that disabling cert checking is completely effective. When it is not set, stream_socket_client() will throw a warning when the CN does not match what is found in the certificate.
To replicate, setup a server with https (self-signed cert is perfect for this case), with hostname like test.example.com, and set the cert CN to bug.example.com.
Use wp_remote_post() to connect to test.example.com, with sslverify set to false. The connection will fail with "Peer certificate CN=bug.example.com' did not match expected CN=test.example.com"

Change History (3)

#1 @jeremyfelt
9 years ago

  • Keywords needs-patch needs-testing added
  • Milestone changed from Awaiting Review to Future Release
  • Version trunk deleted

Thanks for the ticket @nosilver4u. At first glance, this seems like something we'll need to account for with PHP 5.6.0 and later. Patch and testing needed.

#2 @rmccue
8 years ago

I'm 90% certain we want to set this to false all the time, as we implement the common-name checking ourselves via WP_HTTP_Streams::verify_ssl_certificate for compatibility reasons (specifically, so that we have this behaviour on <5.6).

#3 @dd32
8 years ago

  • Milestone Future Release deleted
  • Resolution set to duplicate
  • Status changed from new to closed

This has been fixed in the latest Requests, via #38232.

I'm marking as duplicate, as it's the best option to close this ticket.

Note: See TracTickets for help on using tickets.