What is the relationship between cURL, WordPress and cacert.pem?

HTTPS isn’t all about encryption alone. SSL also uses a process known as certificate verification to prevent host forgery. This is a multi-layered process, but here’s the quick overview:

There exist in the world a number of Certificate Authorities (CAs). When you get a certificate for your domain name to allow it to do SSL, generally you buy it from one of these CAs. They digitally “sign” the certificate, verifying that they’ve checked it or what have you.

Every web browser comes with a list of CAs (and their cryptographic signature) that that browser trusts. Thus, when you go to an HTTPS URL, the server presents its signed certificate. Your browser performs an operation to verify the signature against the CAs it knows about. If it knows it, and the domains match, then it assumes the domain is valid and it trusts that site. Generally this means it displays the trusted icon or something. If it doesn’t match, then it usually presents the viewer with a box saying that it can’t verify the certificate and that the user should proceed with caution.

Now, curl is a web browser too. It also verifies certificates in the exact same way. However, curl is a program installed on your web server, and it’s probably not up-to-date on all the latest and greatest CAs and revocation lists and such. So when it checks the signature, the check fails because it doesn’t know the relevant CAs.

The fix for this that you’re thinking about involves getting the newest cacert.pem file (the CA certificates list) and then telling the curl library where that file is and to use it. This would work fine, if you have the cacert.pem file and you put your code into the wp-config.php file. Every once in a while you may have to update the cacert.pem file to the latest version.

The other alternative is to tell curl to ignore the verification phase and to just use SSL for encryption. This works well, but means that you’d potentially be vulnerable to a specialized kind of attack, but what they could do depends on what you’re using the remote get for. To do this, you can add the sslverify argument to the wp_remote_get call, like so:

wp_remote_get('https://whatever',array('sslverify'=>false));

Edit to avoid a new “answer”, as my reputation is null and I cannot comment – MeanderingCode:

In answer to MikeSchinkel’s comment/question: The absence of verifying that the signature on the certificate is from a “trusted” Certificate Authority means that anyone could have created the certificate in order to initiate the encrypted HTTP session, and potentially there is a Man-In-The-Middle, decrypting your traffic, reading or altering it, re-encrypting it, and sending it along in their own session with your intended destination. Potentially, sensitive information is traveling over the connection; most commonly, authentication credentials. A MITM would see in plaintext any information sent over the link, and then have your credentials and any other information that was sent either direction.

Related Posts:

  1. what is a auth_user_file.txt?
  2. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
  3. How to view PHP on live site
  4. Is moving wp-config outside the web root really beneficial?
  5. Hide the fact a site is using WordPress?
  6. Verifying that I have fully removed a WordPress hack?
  7. WordPress 4.7.1 REST API still exposing users
  8. Can I Prevent Enumeration of Usernames?
  9. Best way to eliminate xmlrpc.php?
  10. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  11. Should I remove install.php and install-helper.php?
  12. Are Nonces Useless?
  13. What is the difference between esc_html filter vs attribute_escape filter?
  14. How do I technically prove that WordPress is secure?
  15. Which KSES should be used and when?
  16. How do WordPress Nonces Work?
  17. Is WordPress vulnerable to the httpoxy?
  18. How can I easily verify a core or plugin update has not broken anything?
  19. Disable comment windows for all existing posts (pages/blogposts)
  20. Generate WordPress salt
  21. Vanilla WordPress install, what can/should I put in disable_functions?
  22. Stop wordpress automatically escaping $_POST data
  23. wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
  24. Secure my “add_settings_field” translation?
  25. how can i embed wordpress backend in iframe
  26. Handling nonces for actions from guests to logged-in users
  27. How to properly sanitize/secure a WP Query coming from the front end
  28. WordPress Logout Only If User Click Logout or If User Delete Browser History
  29. Can I force a password change?
  30. How brute-forcer knows that the password is cracked for target username?
  31. wp_insert_post disable HTML filter
  32. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  33. Completely remove the author url
  34. Restricting access to content
  35. About WordPress site security
  36. Relative security of different releases of WordPress
  37. Is there any point setting the keys and salts in wp-config.php?
  38. Where to store OAuth 2.0 client id and secret?
  39. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  40. Using HTACCESS for Secret Access
  41. Definitive wordpress directory ownership and permissions on linux
  42. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  43. Changing Table Prefixes – once done, am I good to go going forward?
  44. wordpress website host price and security [closed]
  45. Are there security risks in working directly in the themes folder that builds into a theme folder?
  46. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  47. Secure WordPress: Change admin
  48. Changing the default header name
  49. how much information can we hide when using wordpress cms?
  50. Is it safe to use a global wp nonce per user instead of a nonce per action?
  51. Wordfence detects change in wp-admin/includes/upgrade.php
  52. Basic password protection without using users and roles
  53. System setting changed by system user
  54. Any any insecure http:// URLs left in wordpress?
  55. Does meta-data need to be sanitized?
  56. Will there be security updates for WordPress 4.9.9
  57. White screen of death on admin pages after moving wp-config up two levels for security
  58. Any known bugs that could cause disappearance of the wp_users table?
  59. On new server, site got hacked, permissions a bit strange? Please help
  60. 404/500 error on content images if Referer header is from another domain [closed]
  61. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  62. Restrict Access without Creating Users
  63. Switching between security plugins is a risk?
  64. How to obfuscate wp-config.php or code
  65. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  66. How to prevent to direct access of my custom plugin folder/files
  67. Checking for origin of a xmlrpc request
  68. RESTRICT EDIT of PHP files?
  69. wp-content – permissions for files/folders created by apache
  70. How can I restrict access to specific parts of a page, not just the page itself?
  71. User generated content and security
  72. Are major WordPress updates mandatory for security?
  73. i moved wp-config.php outside of public html and this broke my website
  74. Monitor wordpress all external calls
  75. Is it safe to use the basic administration with reduced rights for private member space
  76. Securing WordPress running on Azure platform
  77. Verifying that I have fully removed a WordPress hack?
  78. Spam Registrations
  79. How can I have more confidence that WP plugins aren’t getting and storing user data?
  80. Standard Method for Securing a WordPress Site
  81. wordpress security (only one part of the site)
  82. wp-config.php moved above root results in no plugin updates
  83. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  84. Any way to disable /wp-login.php redirecting to the site folder?
  85. Folder Permissions + Security Concerns
  86. Malware/Permission bug removal?
  87. Could a user account with a stolen password compromised entire WP site?
  88. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  89. Secure a WordPress website in 2019: one plugin or a combinations of them?
  90. What are the different types of firewall protections available for a WordPress website?
  91. Run a security scan on WordPress site that has .htaccess password [closed]
  92. Is this a WordPress security bug?
  93. Competitor is somehow accessing MetaData on a hidden WordPress site
  94. WordPress Hacks/Defacing [closed]
  95. How do you search for backdoors from the previous IT person?
  96. Possible to change email address in keypair?
  97. SSH keypair generation: RSA or DSA?
  98. Why is SSH password authentication a security risk?
  99. Is wp-cron.php vulnerable to external attacks and how to protect it?
  100. How to address security vulnerabilities: LUCKY13, BEAST, and BREACH

Leave a Comment