For all the reasons that Joseph Scott described, you really want to access WordPress AtomPub service documents using SSL/TLS. Unfortunately, if you look closely at the current APE report, you will both see https
and authentication
warning.
Ticket 5298 and this patch addresses this problem.
For all the reasons that Joseph Scott described, you really want to access WordPress AtomPub service documents using SSL/TLS. Unfortunately, if you look closely at the current APE report, you will both see https
and authentication
warning.
The reason for this is that even if the service document itself is obtained using a secure connection, with WordPress 2.3, the document itself provides non SSL/TLS URIs for collections and category documents. The net effect of this is that the important parts of the conversation are not secured — among other things, this means that your password is passed only lightly encoded.
Ticket 5298 and this patch addresses this problem. Once that patch is committed to SVN, the warning will disappear from this page on the next hourly run.
With:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
you do not have a “secure connection”.
The code you reference isn’t attempting to authenticate or verify the peer certificate. All it is attempting to do is determine whether or not the https
version of the URI for AtomPub service document is to be advertised in the RSD. Frankly, all it is looking for is a 401 response as an indication that the server is likely be configured properly to support https.
Should the application that fetches the RSD select the Atom
“api” on a server that (appears to?) support https, then it is the application’s responsibility to establish a properly secure connection for obtaining the service and categories documents, and to interact with the collections.
s/net affect/net effect/