WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#27742 closed enhancement (invalid)

Possibly revisit who is part of our trusted certificate authorities

Reported by: Denis-de-Bernardy Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.7
Component: HTTP API Keywords:
Focuses: Cc:
PR Number:

Description

Related to heartbleed, and the following Mozilla and Debian tickets:

https://bugzilla.mozilla.org/show_bug.cgi?id=994033

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744027

In essence, we should monitor who is in our trusted CA file, and update it prior to releasing.

Change History (3)

#1 @johnbillion
6 years ago

  • Type changed from defect (bug) to enhancement
  • Version changed from trunk to 3.7

#2 @dd32
6 years ago

We've previously aligned to using the certificate bundle from the latest Mozilla release, and as such, we recently removed a bunch of 1024bit SSL roots accordingly - see #27017

We can and perhaps should switch to using Mozilla NSS directly, which has, since the last stable Mozilla release added a few roots and removed 1.

We should ensure that we sync prior to release, so at beta is ideal, but I think we should defer to NSS for what certificates to trust.

The certificate bundle can be rebuilt as such using the cURL bundle creator:

wget https://raw2.github.com/bagder/curl/master/lib/mk-ca-bundle.pl
chmod +x mk-ca-bundle.pl
# For NSS direct:
./mk-ca-bundle.pl -d nss src/wp-includes/certificates/ca-bundle.crt
# For Mozilla latest release (default)
./mk-ca-bundle.pl src/wp-includes/certificates/ca-bundle.crt

for PHP 5.2 compatibility, r25569 must be manually applied to move the EE cert to the start of the file.

#3 @dd32
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Marking as invalid; as we handle updating to the latest Mozilla Release certs (From their NSS project) regularly, which is the de-facto standard of trust amongst browsers.

Note: See TracTickets for help on using tickets.