Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The question of peer verification on HTTPS has been raised for both Drupal core #1081192: Verify peer on HTTPS if cURL available (but be careful of built-in cert bundles in the codebase) and Ubercart #1479190: Certificates on https requests to payment processors are not getting verified.
From a quick scan, it looks like Commerce uses neither drupal_http_request()
nor cURL. What is used? Is peer verification done? Pointers to relevant areas in the code?
Comments
Comment #1
rszrama CreditAttribution: rszrama commentedRelated code would reside in the various payment gateway modules, such as Commerce Authorize.Net / CyberSource / PayPal. We'll just need to open an issue in each of those related queues I'd imagine and document this in our Payment API docs, perhaps as part of the Developer Guide on drupalcommerce.org.
Comment #2
rszrama CreditAttribution: rszrama commentedIssues have been created in the related modules. We'll likely provide a fallback option for servers that have issues validating certificates. See #1931760-2: CURLOPT_SSL_VERIFYPEER should not be disabled for the latest.