Opened 11 years ago
Closed 10 years ago
#27742 closed enhancement (invalid)
Possibly revisit who is part of our trusted certificate authorities
Reported by: | Denis-de-Bernardy | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.7 |
Component: | HTTP API | Keywords: | |
Focuses: | Cc: |
Description
Related to heartbleed, and the following Mozilla and Debian tickets:
https://bugzilla.mozilla.org/show_bug.cgi?id=994033
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744027
In essence, we should monitor who is in our trusted CA file, and update it prior to releasing.
Change History (3)
Note: See
TracTickets for help on using
tickets.
We've previously aligned to using the certificate bundle from the latest Mozilla release, and as such, we recently removed a bunch of 1024bit SSL roots accordingly - see #27017
We can and perhaps should switch to using Mozilla NSS directly, which has, since the last stable Mozilla release added a few roots and removed 1.
We should ensure that we sync prior to release, so at beta is ideal, but I think we should defer to NSS for what certificates to trust.
The certificate bundle can be rebuilt as such using the cURL bundle creator:
for PHP 5.2 compatibility, r25569 must be manually applied to move the EE cert to the start of the file.