The question of peer verification on HTTPS has been raised for both Drupal core #1081192: Verify peer on HTTPS if cURL available (but be careful of built-in cert bundles in the codebase) and Ubercart #1479190: Certificates on https requests to payment processors are not getting verified.

From a quick scan, it looks like Commerce uses neither drupal_http_request() nor cURL. What is used? Is peer verification done? Pointers to relevant areas in the code?

Comments

rszrama’s picture

Related code would reside in the various payment gateway modules, such as Commerce Authorize.Net / CyberSource / PayPal. We'll just need to open an issue in each of those related queues I'd imagine and document this in our Payment API docs, perhaps as part of the Developer Guide on drupalcommerce.org.

rszrama’s picture

Status: Active » Closed (duplicate)

Issues have been created in the related modules. We'll likely provide a fallback option for servers that have issues validating certificates. See #1931760-2: CURLOPT_SSL_VERIFYPEER should not be disabled for the latest.