Opened 7 years ago
Last modified 4 years ago
#41340 new defect (bug)
fsockopen HTTP Proxy support is broken for HTTPS URLs
Reported by: | flameeyes | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 4.8 |
Component: | HTTP API | Keywords: | |
Focuses: | Cc: |
Description
First of all, a little bit of background on HTTP proxies.
"HTTP proxies" can exist with and without TLS at the proxy level. Both varieties allow you to connect to HTTPS hosts, through the CONNECT method (https://tools.ietf.org/html/rfc7231#section-4.3.6).
This means that there are four different valid combinations of TLS at proxy connection level and TLS at remote host connection level.
WordPress only allows setting a single proxy host (and port), but provides no configuration for whether it should be connected through TLS. The curl code correctly interprets this as using a non-TLS HTTP proxy for both HTTP and HTTPS connections.
fsockopen instead will use the remote host TLS (ssl) option even when opening the connection to the Proxy, effectively forcing the same host:port pair to be used both as TLS and not, which does not generally work. Resulting in these error connections:
HTTP proxy with no TLS:
- https://api.wordpress.org/ -> tries connecting to proxy with tls, fail.
- http://api.wordpress.org/ -> works
HTTP proxy with TLS:
- https://api.wordpress.org/ -> (probably? -- haven't tried) works
- http://api.wordpress.org/ -> tries connecting to proxy without tls, fail.