[wp-hackers] securing API calls from a plugin with ssl

msacks ntwrkd at gmail.com
Wed Jun 29 00:43:53 UTC 2011


OAuth is the way to go then?

On Tue, Jun 28, 2011 at 4:14 PM, Michael D Adams <mda at blogwaffe.com> wrote:
> On Tue, Jun 28, 2011 at 3:32 PM, msacks <ntwrkd at gmail.com> wrote:
>> Hi List,
>> I am wondering if there is a recommended way to secure an outbound API call
>> one of my plugins needs to make using SSL?
>>
>> Will this create any extra dependencies on my users installing the plugin?
>> If so, what?
>
> Making outgoing SSL requests on random hosts is a huge pain :)  It
> works almost everywhere, but spectacularly fails on some (bad) hosts.
>
> WordPress 3.2 (currently in RC3, with the real release coming soon)
> reduces the pain significantly with the wp_http_supports() function
> [1].  With it, you can tell if the host can *probably* make outgoing
> SSL requests.  It's up to you to decide if you should continue over
> HTTP if there's no support.
>
> That function won't help detect the case where the host has all the
> right software in place (openSSL, etc.) but has no certificate
> authority file on hand to verify the SSL certificate of the host
> you're connecting to.  You'll have to trap those errors manually by
> examining the WP_Error objects that get returned by wp_remote_*().  If
> you see those errors, it's up to you to decide if you should resend
> the request with sslverify set to false.
>
> Mike
> --mdawaffe
>
> [1] http://core.trac.wordpress.org/ticket/17251#comment:10
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list