I can't upgrade plugins and themes

Thanks NikkiCasa – so this code is itself a “plug-in”, or needs to be added to plug-ins, or ???

Also, this only addresses the plug-in issue… and not themes of WP core files…???

Hi klynam

The code needs to be added to each individual plugin that requires updating using the ‘edit’ feature in each. Save the change and then go to installed plugins page and click activate/update the newly created plugin, “SKIP SSL VERIFY’ for each plugin to update.

I wasn’t able to update themes with this code or add new plugins. I’m not sure how to do it or whether it can be done to themes/adding new plugins.

Hope this makes sense

yep makes sense – thanks for the workaround (which will hopefully NOT be interpreted by the WP / Yahoo! community as reason to disregard your escalation request!)

The code needs to be added to each individual plugin that requires updating using the ‘edit’ feature in each.

That is incorrect. The above code is a plugin by itself, and you only need it on the site one time, not in each individual plugin.

That said, it is highly recommended to NOT run that code, as doing so bypasses a critical security check. If you run that code, your site will become vulnerable to man-in-the-middle attacks. SSL certificate verification is an important security step, and disabling it like this is not recommended.

Otto-

If I install the Skip SSL Verify plugin, update my stalled plugins, then promptly deactivate or uninstall the Skip SSL Verify plugin, will that reduce or eliminate the man-in-the-middle attack danger you are concerned about? If it matters to your answer, all the plugins I am running are pretty mainstream, with very large subscriber bases, not new or fringy.

Alan

Yahoo is definitely aware of the problem, which they have posted on their system status report as of 9/7

Open System Status Messages

Date

System Status Message
09/07/15

09:05 AM PST: Intermittent error upgrading WordPress to version 4.3 and/or updating WordPress plugins

Some customers have reported receiving errors when upgrading WordPress to version 4.3 or updating WordPress plugins. We are investigating this issue and will provide updates as they become available.

https://www.ysmallbizstatus.com/status/archives/16093

thanks for the Yahoo! status update alan.yatvin ??

This is not just a problem on Yahoo hosting. I am seeing the very same issue on a Lunarpages site. I do not have information to verify which versions of curl or OpenSSL.

Mine is a fresh installation of version 4.3 on a linux system.

SFLeBrun-

My problem (on two completely separate Yahoo hosted blogs) also coincided with update to 4.3 in August. Immediately prior to that update of WordPress, I updated several plugins, then updated WordPress from 4.2 to 4.3. Same process on both blogs. The blogs are about 2 years old, and updates of all plugins and WordPress were done religiously and always through the dashboard update page or the plugins page.

However, Otto, who is certainly far more knowledgeable, insists that it is not a WordPress issue, but a Yahoo SSL update problem. Apparently the timing of the plugin update failure occurring right after the 4.3 update is coincidental.

At this point, I’m just waiting to see what Yahoo comes back with.

Alan

Apparently the timing of the plugin update failure occurring right after the 4.3 update is coincidental.

The thing is, we’ve been seeing this particular error here in the forums for many months. It’s somewhat off and on, I grant you, but it’s always Yahoo hosting. Same exact error message.

The error message basically means that whatever SSL library is being used is too old. It’s saying that it does not understand SSL certificates which are signed with “sha256WithRSAEncryption”.

The www.remarpro.com SSL certificate is just such a certificate, as are all modern ones, really. So, because the old library you’re using can’t understand the signing mechanism, it can’t verify the certificate. Turning off the verification, as per above, allows the process to continue regardless, but signature checking is a security step. One you probably should not bypass.

Methods like the above will get you up and working again, but it’s a workaround, not a fix. The fix is simply to upgrade the underlying software on the server. But unless you’re an admin on the server, that’s not possible for you to do.

Although not specific to the thread at hand, it does highlight some ongoing changes at Yahoo that may be impacting WordPress users on Yahoo.

For those with Yahoo Small Business webhosting, as you may or may not be aware Yahoo is spinning off their webhosting business in the 4th quarter of this year. The new company will be “Luminate”. I sent an email at the end of August because of other issues that I had with Yahoo policies and support. The answer is submitted below. My takeaway is that support for WordPress (or lack there of) will not change right away, if ever. They really failed to adequately answer my questions or concerns.
————————————————-

[email protected]
Today at 12:56 PM

To: MVGSWebmaster

Thank you for contacting the Yahoo Small Business team. We are excited to become Luminate, from Aabaco Small Business, and are happy to answer your questions regarding this topic.

Our products and services will either remain the same or see improvements. While we cannot provide a preview at this time, we will be communicating any future changes or improvements as they occur.

We have noted your request regarding WordPress. Please feel free to send any other improvement requests and we will forward them to our Product team.

We look forward to a bright future together.

-The Yahoo Small Business Team

On Monday, August 31, 2015 9:59 AM, MVGSWebmaster wrote:

Yahoo webhosting currently denies/hides access to the WordPress “htaccess” location/file. Will Luminate change or keep this policy after the spinoff?

What enhanced tools/administration capability can one expect? Will they be at least equal to or better than CPanel capabilities of webhosts like “Bluehost”?

Is there a “preview” available?

I am currently using the Skip SSL Verify plugin workaround solution. Lunarpages, my hosting company, did confirm that I am on of their servers running CentOS 4 which has the older OpenSSL Library. The plan to fix the problem is to move my account to a server that is running the current version of CentOS with the up to date OpenSSL Library.

Since my WordPress site is personal and contains no critical data, I can live with the security hole until my account get moved.

Otto-

With all the traffic, you may have missed this one, so I am running it up the flagpole again:

If I install the Skip SSL Verify plugin, update my stalled plugins, then promptly deactivate or uninstall the Skip SSL Verify plugin, will that reduce or eliminate the man-in-the-middle attack danger you are concerned about? If it matters to your answer, all the plugins I am running are pretty mainstream, with very large subscriber bases, not new or fringy.

Alan

will that reduce or eliminate the man-in-the-middle attack danger you are concerned about

No, not really. Admittedly, a man-in-the-middle attack is probably unlikely, but it is possible if you’re not doing certificate verification.

Whether you leave the plugin enabled or not makes no difference. Skipping the cert check is itself the problem.

I’m having this issue as well. I’m also on Lunarpages. Contacting them now.