Make WordPress Core

Opened 10 years ago

Closed 9 years ago

#27742 closed enhancement (invalid)

Possibly revisit who is part of our trusted certificate authorities

Reported by: denis-de-bernardy's profile Denis-de-Bernardy Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.7
Component: HTTP API Keywords:
Focuses: Cc:


Related to heartbleed, and the following Mozilla and Debian tickets:

In essence, we should monitor who is in our trusted CA file, and update it prior to releasing.

Change History (3)

#1 @johnbillion
10 years ago

  • Type changed from defect (bug) to enhancement
  • Version changed from trunk to 3.7

#2 @dd32
10 years ago

We've previously aligned to using the certificate bundle from the latest Mozilla release, and as such, we recently removed a bunch of 1024bit SSL roots accordingly - see #27017

We can and perhaps should switch to using Mozilla NSS directly, which has, since the last stable Mozilla release added a few roots and removed 1.

We should ensure that we sync prior to release, so at beta is ideal, but I think we should defer to NSS for what certificates to trust.

The certificate bundle can be rebuilt as such using the cURL bundle creator:

chmod +x
# For NSS direct:
./ -d nss src/wp-includes/certificates/ca-bundle.crt
# For Mozilla latest release (default)
./ src/wp-includes/certificates/ca-bundle.crt

for PHP 5.2 compatibility, r25569 must be manually applied to move the EE cert to the start of the file.

#3 @dd32
9 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Marking as invalid; as we handle updating to the latest Mozilla Release certs (From their NSS project) regularly, which is the de-facto standard of trust amongst browsers.

Note: See TracTickets for help on using tickets.