By mcdruid on
Change record status: 
Published (View all published change records)
Project: 
Drupal core
Introduced in branch: 
7.x
Introduced in version: 
7.98
Issue links: 
https://www.drupal.org/node/3293648
Description: 

Much has changed on the web since Drupal 7 was released. TLS/SSL is now near-ubiquitous for communications where Security is a concern.

Accordingly, Drupal 7 now fetches information about available updates from drupal.org over https.

Support for TLS/SSL in PHP is still not a hard requirement for Drupal 7 (although perhaps it should be).

Sites that are unable to use https for outbound requests have the option of setting a variable, described in default.settings.php

/**
 * URL for update information.
 *
 * Drupal's update module can check for the availability of updates. By default
 * https is used for this check. If for any reason your site cannot use https
 * you can change this variable to fallback to http. It is recommended to fix
 * the problem with SSL/TLS rather than use http which provides no security.
 */
# $conf['update_fetch_url'] = 'https://updates.drupal.org/release-history';
Impacts: 
Site builders, administrators, editors

Comments

leducvin’s picture

leducvin commented

Is it possible this is breaking updating information about updates on sites installed behind a corporate proxy?
I had to revert this to 'http://updates.drupal.org/release-history' to get info about updates.

Also, I notice the administration dashboard does an HTTP connectivity check (which I can see failing if I remove my proxy config).
But it does not seem to be doing a HTTPS check.

Here is an excerpt from my settings.php:

$conf['proxy_server'] = '<proxy server IP address>';
$conf['proxy_port'] = 8080;
$conf['update_fetch_url'] = 'http://updates.drupal.org/release-history';

Note that the same proxy server address can be used with HTTP or HTTPS for my corporate proxy, with no authentification. So it should in theory be working.

On php 5.5 with OpenSSL 1.0.1.