SSL Security

Hi JxsDotNL,

Thanks so much for your feedback, I really appreciate it. We have had to deal with a lot of server issues over the past 3 years with users on all sorts of different servers with different configurations, and adding these settings were the only way that we were able to reliably resolve the issues for everyone. I’d definitely like to make the plugin as secure as possible though but need to make sure I don’t break the plugin for a lot of users. As my knowledge of cURL is not very deep I’d like to ask you a couple of questions if that’s OK?

When using CURLOPT_CAINFO would each user need to set the path to their own SSL certificate on their server in the cURL setting like so?:

curl_setopt($ch,CURLOPT_CAINFO,'https://site.com/path/ca-bundle.crt');

Or would I need to include a certificate within our plugin? I’ve read that there’s often issues with older certificates becoming invalid and so needing to update them regularly. In which case, I could potentially link to an external certificate such as this one?

curl_setopt($ch,CURLOPT_CAINFO,'https://curl.haxx.se/ca/cacert.pem');

I’m guessing that could cause connection issues if that resource every changed or went down.

Do you have any suggestions or insight into this at all?

Many thanks again for your feedback!

John

Hi John,

You include the cacert.pem or ca-bundle.crt file with your plugin. Next, you let cURL look for this file locally:
curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__).'/cacert.pem');
Or you can use the one that is included in WPs distribution:
curl_setopt($ch, CURLOPT_CAINFO, ABSPATH.'/wp-includes/certificates/ca-bundle.crt');
Please be aware that older versions of WP may lack this file. You could use WPs bundle by default and use your own as a plan B.

Good luck!

JxsDotNL

Hey JxsDotNL,

Thanks so much for this information, it’s really helpful! I’ll do some testing and hopefully I can include this within the next update or two.

Thanks again!

John