Why set CURLOPT_SSL_VERIFYPEER to false? | WordPress.org

Jan Reilink
(@janr)

7 years, 3 months ago

Why is CURLOPT_SSL_VERIFYPEER set to false by default? This is very bad practice, server admins have to fix their PHP configuration instead. Please correct this, and see https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/ for more information.

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Support mbrsolution
(@mbrsolution)

7 years, 3 months ago

Hi, the plugin developers will investigate further your question.

Thank you

Plugin Author mra13
(@mra13)

7 years, 3 months ago

By default, the plugin uses the values that will work on MOST sites. It is really hard to set values that will fail on a lot of sites then try to teach each individual site owners that they should fix their system configuration (which most of them don’t understand).

What we can do is add a parameter in the shortcode so you can control that field’s value using the shortcode (or a settings option).

Thread Starter Jan Reilink
(@janr)

7 years, 3 months ago

Hi @mra13, thank you for your reply and the best wishes for 2017.

First of all, I certainly don’t want to dictate about what you should and shouldn’t do. But why implementing your own cURL functions instead of the WP HTTP API functions? WordPress ships a valid root certificates file since version 3.7 (source: http://wordpress.stackexchange.com/a/167947/27620 by Otto Wood).

And by setting CURLOPT_SSL_VERIFYPEER => false you are basically breaking the trust SSL / TLS provides.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Why set CURLOPT_SSL_VERIFYPEER to false?’ is closed to new replies.

Tags

In: Plugins
3 replies
3 participants
Last reply from: Jan Reilink
Last activity: 7 years, 3 months ago
Status: not resolved