Make WordPress Core

Opened 11 years ago

Closed 10 years ago

#25751 closed defect (bug) (wontfix)

Old cURL doesn't understand subjectAltName and can't connect to https://wordpress.org/

Reported by: mike_vl's profile mike_vl Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.7
Component: HTTP API Keywords:
Focuses: Cc:

Description

On a shared hosting platform the following error occured when updating the default themes from within the admin:

"An error occurred while updating Twenty Eleven: Download failed. SSL: certificate subject name '*.wordpress.org' does not match target host name 'wordpress.org'"

This issue has been raised on the wordpress forums by other users. http://20103399nl.forums.wordpress.org/topic/themas-installeren-werkt-niet-meer-bij-wordpress-37 (dutch)

A (temporary) solution editing core has been mentioned as well which points to a possible cause:
in /wp-includes/class-http.php changing 'sslverify' => true to 'sslverify' => false will enable the themes to be updated.

Change History (6)

#2 follow-up: @dd32
11 years ago

This is caused by OpenSSL being unable to parse the subjectAltNames extension of the SSL certificate, this could be due to a OpenSSL bug or this particular compile of OpenSSL doesn't support the extensions.

The WordPress.org certificate lists '*.wordpress.org' as it's Common name in the SSL cert, 'wordpress.org' is added as an extra domain in the SSL subjectAltName Extension, which explains why api.wordpress.org would work, but wordpress.org would fail.

I've added a reply to the thread asking for some debugging information - specifically the version of OpenSSL being in use.

#3 in reply to: ↑ 2 @dd32
11 years ago

Replying to dd32:

This is caused by OpenSSL being unable to parse the subjectAltNames extension of the SSL certificate, this could be due to a OpenSSL bug or this particular compile of OpenSSL doesn't support the extensions.

I misread the error slightly, this is caused by cURL & it's OpenSSL build, not from the PHP OpenSSL extension as I thought..

The version of cURL installed on the hosting in this case is cURL 7.10.6, cURL 7.10.7 introduced the ability to check the subjectAltName field.

cURL 7.10.7 was released TEN YEARS AGO... In this case, I think we need to reach out to the host and ask them to update their version of cURL..

#4 follow-up: @dd32
11 years ago

  • Component changed from Upgrade/Install to HTTP

#5 in reply to: ↑ 4 @KieranAlen
10 years ago

Replying to dd32:

We are seeing the same error after OpenSSL upgrade. !
We have though reverted all the changes and installed old Curl, openSSL and PHP settings but mos of the WP sites are showing below error.

Download failed. Too many redirects.

What might have caused this ? unfortunately we could not find any other reference but this thread so expecting someone to add comment on this.

Thank you.

#6 @dd32
10 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed
  • Summary changed from After upgrade to WordPress 3.7 updating Wordpress default themes is not possible to Old cURL doesn't understand subjectAltName and can't connect to https://wordpress.org/

An error occurred while updating Twenty Eleven: Download failed. SSL: certificate subject name '*.wordpress.org' does not match target host name 'wordpress.org

All downloads are now served from downloads.wordpress.org, so even clients who don't support subjectAltName should be able to retrieve packages over SSL now (since it'll match *.wordpress.org)

As it's such a old version of cURL/OpenSSL that doesn't support this, and the only real option would've been blacklisting old curl, I'm wontfixing this for now, although the problem originally is "fixed"/avoided.

Note: See TracTickets for help on using tickets.