Make WordPress Core

Opened 5 months ago

Closed 4 months ago

#47957 closed enhancement (fixed)

Don't verify SSL certificate for loopback test

Reported by: ocean90 Owned by: ocean90
Milestone: 5.3 Priority: normal
Severity: normal Version: 5.2
Component: Site Health Keywords: has-patch commit
Focuses: Cc:
PR Number:


If a site uses a self-signed certificate the loopback test will report an error. Since spawn_cron() doesn't verify the certificate the test shouldn't either to replicate core's behaviour.

Attachments (4)

47957.diff (886 bytes) - added by ocean90 5 months ago.
47957.2.diff (1.5 KB) - added by ocean90 5 months ago.
Disable sslverify for get_test_rest_availability()
47957.3.diff (2.4 KB) - added by ocean90 5 months ago.
Disable sslverify for test_wp_version_check_attached()
47957.patch (3.7 KB) - added by Clorith 4 months ago.

Download all attachments as: .zip

Change History (8)

5 months ago

5 months ago

Disable sslverify for get_test_rest_availability()

5 months ago

Disable sslverify for test_wp_version_check_attached()

#1 @Clorith
5 months ago

Hmm, we definitely need a more reliable solution overall. The reason the Site Health check does it this way is because it was copied from how the plugin/theme editors do them (this was the basis for creating the test, as a lot of users had issues saving after the changes to t hem were implemented, all due to loopback failures).

There's now 3 places (likely to be more) that do loopbacks, so having a fixed loopback function is probably a more sustainable approach?

I'm thinking along the lines of function loopback( $target_url ) { return $WP_Http } which all the places that do loopbacks can use, and by returning the WP_Http object those places can then check whatever they need, if that is the content body, headers etc.

This would also be handy for #47954 which looks to do loopback calls to verify URLs are reachable before breaking a users access to their site.

4 months ago

#2 @Clorith
4 months ago

  • Keywords commit added

47957.patch includes the recommendations from 47957.3.diff, but also implements them for the theme/plugin editors so that it's consistent in all the places that currently do loopbacks.

Let's get this ticket fixed for now, as it's a simple fix, and we can keep looking into the deeper needs depending on the needs of #47954.

#3 @ocean90
4 months ago

In 46230:

File Editor: Don't verify SSL certificate when doing loopback requests for checking for fatal errors.

Props Clorith.
See #47957.

#4 @ocean90
4 months ago

  • Owner set to ocean90
  • Resolution set to fixed
  • Status changed from new to closed

In 46231:

Site Health: Don't verify SSL certificate when testing the local site.

The SSL certificate may be self-signed which prevents various tests from returning proper results. Since the Cron API and file editors don't verify the certificate the tests shouldn't either.

Props Clorith, ocean90.
Fixes #47957.

Note: See TracTickets for help on using tickets.