WordPress.org

Make WordPress Core

Opened 19 months ago

Closed 8 months ago

#25751 closed defect (bug) (wontfix)

Old cURL doesn't understand subjectAltName and can't connect to https://wordpress.org/

Reported by: mike_vl Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.7
Component: HTTP API Keywords:
Focuses: Cc:

Description

On a shared hosting platform the following error occured when updating the default themes from within the admin:

"An error occurred while updating Twenty Eleven: Download failed. SSL: certificate subject name '*.wordpress.org' does not match target host name 'wordpress.org'"

This issue has been raised on the wordpress forums by other users. http://20103399nl.forums.wordpress.org/topic/themas-installeren-werkt-niet-meer-bij-wordpress-37 (dutch)

A (temporary) solution editing core has been mentioned as well which points to a possible cause:
in /wp-includes/class-http.php changing 'sslverify' => true to 'sslverify' => false will enable the themes to be updated.

Change History (6)

comment:2 follow-up: @dd3219 months ago

This is caused by OpenSSL being unable to parse the subjectAltNames extension of the SSL certificate, this could be due to a OpenSSL bug or this particular compile of OpenSSL doesn't support the extensions.

The WordPress.org certificate lists '*.wordpress.org' as it's Common name in the SSL cert, 'wordpress.org' is added as an extra domain in the SSL subjectAltName Extension, which explains why api.wordpress.org would work, but wordpress.org would fail.

I've added a reply to the thread asking for some debugging information - specifically the version of OpenSSL being in use.

comment:3 in reply to: ↑ 2 @dd3219 months ago

Replying to dd32:

This is caused by OpenSSL being unable to parse the subjectAltNames extension of the SSL certificate, this could be due to a OpenSSL bug or this particular compile of OpenSSL doesn't support the extensions.

I misread the error slightly, this is caused by cURL & it's OpenSSL build, not from the PHP OpenSSL extension as I thought..

The version of cURL installed on the hosting in this case is cURL 7.10.6, cURL 7.10.7 introduced the ability to check the subjectAltName field.

cURL 7.10.7 was released TEN YEARS AGO... In this case, I think we need to reach out to the host and ask them to update their version of cURL..

comment:4 follow-up: @dd3219 months ago

  • Component changed from Upgrade/Install to HTTP

comment:5 in reply to: ↑ 4 @KieranAlen13 months ago

Replying to dd32:

We are seeing the same error after OpenSSL upgrade. !
We have though reverted all the changes and installed old Curl, openSSL and PHP settings but mos of the WP sites are showing below error.

Download failed. Too many redirects.

What might have caused this ? unfortunately we could not find any other reference but this thread so expecting someone to add comment on this.

Thank you.

comment:6 @dd328 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed
  • Summary changed from After upgrade to WordPress 3.7 updating Wordpress default themes is not possible to Old cURL doesn't understand subjectAltName and can't connect to https://wordpress.org/

An error occurred while updating Twenty Eleven: Download failed. SSL: certificate subject name '*.wordpress.org' does not match target host name 'wordpress.org

All downloads are now served from downloads.wordpress.org, so even clients who don't support subjectAltName should be able to retrieve packages over SSL now (since it'll match *.wordpress.org)

As it's such a old version of cURL/OpenSSL that doesn't support this, and the only real option would've been blacklisting old curl, I'm wontfixing this for now, although the problem originally is "fixed"/avoided.

Note: See TracTickets for help on using tickets.