WordPress.org

Make WordPress Core

Opened 9 months ago

Closed 9 months ago

Last modified 9 months ago

#38232 closed defect (bug) (fixed)

Setting `sslverify` to false still validates the hostname

Reported by: dd32 Owned by: dd32
Milestone: 4.7.1 Priority: normal
Severity: normal Version:
Component: HTTP API Keywords:
Focuses: Cc:

Description

Under 4.5.x when you set sslverify to false it'd make a HTTPS connection and ignore the validity of the certificate presented.
Under 4.6/4.6.1 it still ignores the validity, but verifies that the SSL matches the domain (ie. example.com cert would be rejected for a example.net request).

This was fixed upstream in https://github.com/rmccue/Requests/pull/239

Change History (5)

#1 @dd32
9 months ago

  • Milestone changed from 4.7 to 4.6.2

#2 @dd32
9 months ago

  • Owner set to dd32
  • Resolution set to fixed
  • Status changed from new to closed

In 38727:

HTTP: Update Requests to master (0048f3c) which fixes a number of outstanding issues.

Fixes #38070, #37733 by reverting part of [38429] and using the fix in Requests.
Fixes #37992 allowing for connecting to SSL resources on ports other than 443.
Fixes #37991 by not sending default ports in the Host: header.
Fixes #37839 to match and decode Chunked responses correctly.
Fixes #38232 allowing a SSL connection to ignore the hostname of the certificate when verification is disabled.

#3 @dd32
9 months ago

In 38728:

HTTP: Update Requests to master (0048f3c) which fixes a number of outstanding issues.

Merges [38727] to the 4.6 branch.

Fixes #38070, #37733 by reverting part of [38429] and using the fix in Requests.
Fixes #37992 allowing for connecting to SSL resources on ports other than 443.
Fixes #37991 by not sending default ports in the Host: header.
Fixes #37839 to match and decode Chunked responses correctly.
Fixes #38232 allowing a SSL connection to ignore the hostname of the certificate when verification is disabled.

#4 @dd32
9 months ago

Seems #34381 is a earlier incarnation of this, although it affected us in slightly different ways.

#5 @dd32
9 months ago

#34381 was marked as a duplicate.

Note: See TracTickets for help on using tickets.