Support » Everything else WordPress » About cURL and CVE-2014-3566 aka POODLE.

  • Resolved o6asan

    (@o6asan)


    My web server is at home.

    I did a workaround for CVE-2014-3566 on it. After that, I suddenly got worried about cURL on WordPress because I read SSLv3 fallback attack POODLE.

    I want to take a proactive approach by an option curl_setopt( $handle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);

    What file should I add the option to? Where do I insert it between lines in the file? How can I check out the option works well?

    Thanks in advance.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Can you talk to your hosting providers about this?

    Thread Starter o6asan

    (@o6asan)

    As I wrote, my server is at home. So I think I have no hosting providers. What is the hosting provider you said? Do you mean access providers?

    My server environments:
    Windows7HP+SP1(x86)
    httpd-2.4.10-win32-VC11.zip from Apache Lounge
    php-5.6.2-Win32-VC11-x86.zip from PHP.net
    mariadb-10.0.14-win32.zip from MariaDB.ORG

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    This is so not a WordPress topic. 😉

    My web server is at home.

    On the server side you need disable SSLv3. That’s all and refer to your WAMP documentation for how to do that.

    Also: you’re running SSL on WAMP?

    Thread Starter o6asan

    (@o6asan)

    Thanks!

    On the server side you need disable SSLv3.
    you’re running SSL on WAMP?

    For both, I say yes.

    WordPress uses SSL via cURL on the file class-http.php in the directory wp-includes. Don’t I need CURL_SSLVERSION_TLSv1 there?

    Thread Starter o6asan

    (@o6asan)

    I’ve got the result that my cURL exactly uses TLSv1.2 by %{SSL_PROTOCOL} on the Apache log.

    Now I completely understand I don’t need CURL_SSLVERSION_TLSv1 on the file class-http.php. If the SSL sever has appropriate configurations, clients can access it safely if their software components have the abilities required.

    Thanks!!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘About cURL and CVE-2014-3566 aka POODLE.’ is closed to new replies.