Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#47957 closed enhancement (fixed)

Don't verify SSL certificate for loopback test

Reported by: ocean90's profile ocean90 Owned by: ocean90's profile ocean90
Milestone: 5.3 Priority: normal
Severity: normal Version: 5.2
Component: Site Health Keywords: has-patch commit
Focuses: Cc:

Description

If a site uses a self-signed certificate the loopback test will report an error. Since spawn_cron() doesn't verify the certificate the test shouldn't either to replicate core's behaviour.

Attachments (4)

47957.diff (886 bytes) - added by ocean90 5 years ago.
47957.2.diff (1.5 KB) - added by ocean90 5 years ago.
Disable sslverify for get_test_rest_availability()
47957.3.diff (2.4 KB) - added by ocean90 5 years ago.
Disable sslverify for test_wp_version_check_attached()
47957.patch (3.7 KB) - added by Clorith 5 years ago.

Download all attachments as: .zip

Change History (9)

@ocean90
5 years ago

@ocean90
5 years ago

Disable sslverify for get_test_rest_availability()

@ocean90
5 years ago

Disable sslverify for test_wp_version_check_attached()

#1 @Clorith
5 years ago

Hmm, we definitely need a more reliable solution overall. The reason the Site Health check does it this way is because it was copied from how the plugin/theme editors do them (this was the basis for creating the test, as a lot of users had issues saving after the changes to t hem were implemented, all due to loopback failures).

There's now 3 places (likely to be more) that do loopbacks, so having a fixed loopback function is probably a more sustainable approach?

I'm thinking along the lines of function loopback( $target_url ) { return $WP_Http } which all the places that do loopbacks can use, and by returning the WP_Http object those places can then check whatever they need, if that is the content body, headers etc.

This would also be handy for #47954 which looks to do loopback calls to verify URLs are reachable before breaking a users access to their site.

@Clorith
5 years ago

#2 @Clorith
5 years ago

  • Keywords commit added

47957.patch includes the recommendations from 47957.3.diff, but also implements them for the theme/plugin editors so that it's consistent in all the places that currently do loopbacks.

Let's get this ticket fixed for now, as it's a simple fix, and we can keep looking into the deeper needs depending on the needs of #47954.

#3 @ocean90
5 years ago

In 46230:

File Editor: Don't verify SSL certificate when doing loopback requests for checking for fatal errors.

Props Clorith.
See #47957.

#4 @ocean90
5 years ago

  • Owner set to ocean90
  • Resolution set to fixed
  • Status changed from new to closed

In 46231:

Site Health: Don't verify SSL certificate when testing the local site.

The SSL certificate may be self-signed which prevents various tests from returning proper results. Since the Cron API and file editors don't verify the certificate the tests shouldn't either.

Props Clorith, ocean90.
Fixes #47957.

#5 @SergeyBiryukov
5 years ago

In 47896:

File Editor: Don't verify SSL certificate when doing loopback requests for checking for fatal errors.

Previously, verification was disabled for the loopback request to the admin URL, but not to the home URL.

Follow-up to [46230].

Props munyagu.
Fixes #50309. See #47957.

Note: See TracTickets for help on using tickets.