We have a Drupal installation that serves both HTTP and HTTPS. If the admin/reports/status page is loaded over SSL we see the warning "Your system or network configuration does not allow Drupal to access web pages, resulting in reduced functionality...". After some debugging, this is because the system_check_http_request() fails to verify the host's SSL certificate (because the cert's hostname doesn't match the hostname of the site).

Corporate standards mean the site is behind numerous layers of technology, and has the right certificate for our environment, so it's not really an option to change it. Further, having Drupal connect to itself through all these layers is similarly not really an option.

I am able to construct a drupal_http_request() that passes the check (I can provide example code), but there's no way to do this inside the system_check_http_request() function, and no way to override the function with one of my own.

What's the solution here? I see three possible options (in order of my preference):

1) Patch Drupal core with a configurable option to ignore certs when making this check. I can give this a try, if it's a reasonable thing to do and likely to be useful. I'm not sure any patch would be back-ported to D7 though :-(
2) Set $conf['drupal_http_request_fails'] = FALSE; in settings.php. I'd prefer not to do this, because the check (over HTTP) has caught a few problems with our slightly convoluted environment, but it is something I can do if I have to.
3) Rework our environment to provide a valid cert for this request, but provide the current cert for all others. This is technically possible, but seems like a lot of work, and all a bit 'niche'.

Any guidance would be much appreciated.

Comments

coofercat’s picture

coofercat CreditAttribution: coofercat commented
Issue summary: View changes
dcam’s picture

dcam CreditAttribution: dcam commented

Hello! I'm sorry that you're having this issue, but I'll have to direct you elsewhere on the Drupal site for support. Although this is the right place to be if you're looking to have core patched, the people in the community who provide support don't work in the issue queue very much. That category of issue exists mostly for contributed modules. My advice is to click the Support link at the top of the page for other support options. The Support forum or IRC are better support resources.

coofercat’s picture

coofercat CreditAttribution: coofercat commented

Thanks for the tip. I'll probably go ahead with option (2) for now, and see if there'd be any traction for option (1) elsewhere.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein as a volunteer commented
Status: Active » Closed (duplicate)

Looks like there's an issue at #2931872: make system_check_http_request() do only http requests with a patch to try to address this. However, I think the real fix is to get rid of the system_check_http_request() entirely (see #965078: HTTP request checking is unreliable and should be removed in favor of watchdog() calls) - this is just one of the many reasons that the current behavior doesn't work well.