It’s just data

WordPress, SSL/TLS, and AtomPub

For all the reasons that Joseph Scott described, you really want to access WordPress AtomPub service documents using SSL/TLS.  Unfortunately, if you look closely at the current APE report, you will both see https and authentication warning.

The reason for this is that even if the service document itself is obtained using a secure connection, with WordPress 2.3, the document itself provides non SSL/TLS URIs for collections and category documents.  The net effect of this is that the important parts of the conversation are not secured — among other things, this means that your password is passed only lightly encoded.

Ticket 5298 and this patch addresses this problem.  Once that patch is committed to SVN, the warning will disappear from this page on the next hourly run.


With:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

you do not have a “secure connection”.

Posted by anonymous at

The code you reference isn’t attempting to authenticate or verify the peer certificate.  All it is attempting to do is determine whether or not the https version of the URI for AtomPub service document is to be advertised in the RSD.  Frankly, all it is looking for is a 401 response as an indication that the server is likely be configured properly to support https.

Should the application that fetches the RSD select the Atom “api” on a server that (appears to?) support https, then it is the application’s responsibility to establish a properly secure connection for obtaining the service and categories documents, and to interact with the collections.

Posted by Sam Ruby at

s/net affect/net effect/

Posted by Aristotle Pagaltzis at

Fixed.  Thanks!

Posted by Sam Ruby at

Anyone try “attaching” a valid Atom feed to Wordpress' Atompub endpoint as a means of doing an import yet?

Posted by d.w. at

cc changed

cc rubys added Am I misreading line 20 in xmlrpc.php incorrectly? The intent of this patch is to only do this check when fetching the rsd document. See   this post for background. Some place in the traversal from [link] =>...

Excerpt from WordPress Trac: Ticket #5298: https atom service document doesn't point to https collections at

Replying to rubys : Am I misreading line 20 in xmlrpc.php incorrectly? The intent of this patch is to only do this check when fetching the rsd document. See   this post for background. Some place in the traversal from [link]...

Excerpt from WordPress Trac: Ticket #5298: https atom service document doesn't point to https collections at

Add your comment