Make WordPress Core

Opened 2 years ago

Closed 16 months ago

Last modified 16 months ago

#54803 closed defect (bug) (fixed)

https_ssl_verify filter should be documented as accepting string values too

Reported by: chesio's profile chesio Owned by: johnbillion's profile johnbillion
Milestone: 6.2 Priority: normal
Severity: normal Version: 4.6
Component: HTTP API Keywords: has-patch
Focuses: docs Cc:


The https_ssl_verify filter is currently documented to expect and return a boolean value: whether to verify the SSL connection.

In context of WP_Http::request() call, it can be however handled a string value (path to SSL certificate bundle) too: it gets value of sslcertificates argument whenever sslverify argument is true. See lines 355, 359 and 376.

It seems this is a regression introduced in [37428] where Requests library replaced custom implementation.

Sidenote: The same would apply to the "sibling" https_local_ssl_verify filter, but this filter is currently not executed in context of WP_Http::request() call - this seem to be a bug, see #51767.

Change History (5)

This ticket was mentioned in PR #3837 on WordPress/wordpress-develop by @mcaskill.

17 months ago

  • Keywords has-patch added

The `https_ssl_verify` and `https_local_ssl_verify` filters are currently documented to expect and return a boolean value (whether to verify the SSL connection) and to expect a request URL.

However a string value (path to SSL certificate bundle) is often provided and when a boolean is provided, it is often false instead of true.

Furthermore, the request URL is often omitted.

See `WP_Site_Health::get_test_rest_availability()` for an example.

Trac ticket:

#2 @mcaskill
17 months ago

I've recently stumbled upon this issue and I've provided a pull request to fix the documentation.

#3 @johnbillion
16 months ago

  • Milestone changed from Awaiting Review to 6.2
  • Owner set to johnbillion
  • Status changed from new to accepted

#4 @johnbillion
16 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 55063:

HTTP API: Correct the documentation for the https_ssl_verify and https_local_ssl_verify filters.

The value for both these filters can also contain a string path to a CA file used to authenticate the identity of the remote server.

Props chesio, mcaskill

Fixes #54803

Note: See TracTickets for help on using tickets.