Make WordPress Core

Opened 2 years ago

Closed 15 months ago

Last modified 4 months ago

#45807 closed defect (bug) (fixed)

CA Bundle is way out of date

Reported by: paragoninitiativeenterprises Owned by: SergeyBiryukov
Milestone: 5.3 Priority: normal
Severity: normal Version:
Component: Security Keywords: early has-patch commit
Focuses: Cc:


The latest bundle is from 2018-12-05, the one shipped with WordPress is from 2015-09-16.


The past 3 years have shown some significant CA revocations, including Symantec's CA certs. I don't believe an outdated CACert bundle is necessarily a vulnerability worth reporting privately, but updating this may prevent corner case of nation state exploitation.

Attachments (5)

45807.diff (178.9 KB) - added by skithund 18 months ago.
45807-wp1024.diff (182.7 KB) - added by skithund 18 months ago.
45807-2.diff (176.9 KB) - added by skithund 15 months ago.
45807-2-wp1024.diff (180.6 KB) - added by skithund 15 months ago.
45807-3-wp1024.diff (178.2 KB) - added by SergeyBiryukov 15 months ago.

Download all attachments as: .zip

Change History (27)

#1 @Otto42
2 years ago

Related: #30434

#2 @paragoninitiativeenterprises
2 years ago

Note: When PHP 7+ is the minimum supported by WordPress, it would be advantageous to consider https://github.com/paragonie/certainty to automate this, going forward.

This ticket was mentioned in Slack in #core by paragonie. View the logs.

2 years ago

This ticket was mentioned in Slack in #core-https by paragonie. View the logs.

23 months ago

#5 @pento
23 months ago

  • Keywords early added
  • Milestone changed from Awaiting Review to 5.2
  • Version trunk deleted

Given how updating the the CA bundle has caused back compat issues in the past, I'd like to land this change early in the cycle. Milestoning it for 5.2, so it can get a good amount of soak time.

#6 @johnbillion
20 months ago

  • Milestone changed from 5.2 to 5.3

Bumping as per comment above

#7 @skithund
20 months ago

Just to chip in here.

Let's Encrypt is transitioning to ISRG root, which isn't trusted by the current WordPress CA bundle.

wp eval 'var_dump(wp_remote_get("https://valid-isrgrootx1.letsencrypt.org/"));'

The WP_Error message is cURL error 60: SSL certificate problem: unable to get local issuer certificate

This ticket was mentioned in Slack in #core by paragonie. View the logs.

19 months ago

#9 @desrosj
19 months ago

  • Keywords needs-patch added

18 months ago

#10 @skithund
18 months ago

Attached is a file with just the latest ca-bundle without any WordPress modifications.
I'll do another patch with WordPress modifications (add 1024 bit root certs back) later.

#11 @skithund
18 months ago

  • Keywords needs-patch removed

Another patch, which updates to latest ca-bundle and adds the same 1024bit certificates back as in [35919] with the following exceptions removed:

  • GTE CyberTrust Global Root - Expired in 2018-08-13
  • ValiCert Class 1 VA - Expires in 2019-06-25
  • ValiCert Class 2 VA - Expires in 2019-06-25
  • Entrust.net Secure Server CA - Expired in 2019-05-25
  • NetLock Business (Class B) Root - Expired in 2019-02-20
  • NetLock Express (Class C) Root - Expired in 2019-02-20
Last edited 18 months ago by skithund (previous) (diff)

#12 @skithund
18 months ago

  • Keywords has-patch needs-testing added

This ticket was mentioned in Slack in #core by skithund. View the logs.

15 months ago

#14 @mikeschroder
15 months ago

This ticket came up during a scrub.
Is this a good time for an update to the bundle @pento?

#15 @skithund
15 months ago

The latest CA bundle has actually been updated recently (2019-08-28). I'll refresh the patches in a couple of hours.

#16 @garrett-eclipse
15 months ago

  • Keywords needs-refresh added; needs-testing removed

Thanks @skithund appreciate the update

15 months ago

#17 @skithund
15 months ago

  • Keywords needs-refresh removed

Refreshed patches includes changes only in build date, SHA checksum and one certificate removed (Certinomis - Root CA).

#18 @SergeyBiryukov
15 months ago

  • Keywords commit added

Thanks for the refreshed patches!

For some reason 45807-2-wp1024.diff didn't apply cleanly for me, 45807-3-wp1024.diff is another refresh.

Let's get this in while still early in the cycle to allow for more testing.

#19 @SergeyBiryukov
15 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 46094:

HTTP: Update the Root Certificate bundle.

Keep 1024-bit legacy root certificates re-added in [35919], except for those already expired, for compatibility with older OpenSSL versions.

Props skithund, paragoninitiativeenterprises.
Fixes #45807.

#20 @ocean90
9 months ago

#46879 was marked as a duplicate.

This ticket was mentioned in Slack in #forums by otto42. View the logs.

6 months ago

#22 @SergeyBiryukov
4 months ago

#43779 was marked as a duplicate.

Note: See TracTickets for help on using tickets.