#45807 closed defect (bug) (fixed)
CA Bundle is way out of date
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 5.3 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | early has-patch commit |
Focuses: | Cc: |
Description
The latest bundle is from 2018-12-05, the one shipped with WordPress is from 2015-09-16.
https://core.trac.wordpress.org/browser/trunk/src/wp-includes/certificates/ca-bundle.crt
The past 3 years have shown some significant CA revocations, including Symantec's CA certs. I don't believe an outdated CACert bundle is necessarily a vulnerability worth reporting privately, but updating this may prevent corner case of nation state exploitation.
Attachments (5)
Change History (27)
#2
@
6 years ago
Note: When PHP 7+ is the minimum supported by WordPress, it would be advantageous to consider https://github.com/paragonie/certainty to automate this, going forward.
This ticket was mentioned in Slack in #core by paragonie. View the logs.
6 years ago
This ticket was mentioned in Slack in #core-https by paragonie. View the logs.
6 years ago
#5
@
6 years ago
- Keywords early added
- Milestone changed from Awaiting Review to 5.2
- Version trunk deleted
Given how updating the the CA bundle has caused back compat issues in the past, I'd like to land this change early in the cycle. Milestoning it for 5.2, so it can get a good amount of soak time.
#7
@
6 years ago
Just to chip in here.
Let's Encrypt is transitioning to ISRG root, which isn't trusted by the current WordPress CA bundle.
wp eval 'var_dump(wp_remote_get("https://valid-isrgrootx1.letsencrypt.org/"));'
The WP_Error
message is cURL error 60: SSL certificate problem: unable to get local issuer certificate
This ticket was mentioned in Slack in #core by paragonie. View the logs.
6 years ago
#10
@
6 years ago
Attached is a file with just the latest ca-bundle without any WordPress modifications.
I'll do another patch with WordPress modifications (add 1024 bit root certs back) later.
#11
@
6 years ago
- Keywords needs-patch removed
Another patch, which updates to latest ca-bundle and adds the same 1024bit certificates back as in [35919] with the following exceptions removed:
GTE CyberTrust Global Root
- Expired in 2018-08-13ValiCert Class 1 VA
- Expires in 2019-06-25ValiCert Class 2 VA
- Expires in 2019-06-25Entrust.net Secure Server CA
- Expired in 2019-05-25NetLock Business (Class B) Root
- Expired in 2019-02-20NetLock Express (Class C) Root
- Expired in 2019-02-20
This ticket was mentioned in Slack in #core by skithund. View the logs.
5 years ago
#14
@
5 years ago
This ticket came up during a scrub.
Is this a good time for an update to the bundle @pento?
#15
@
5 years ago
The latest CA bundle has actually been updated recently (2019-08-28). I'll refresh the patches in a couple of hours.
#16
@
5 years ago
- Keywords needs-refresh added; needs-testing removed
Thanks @skithund appreciate the update
#17
@
5 years ago
- Keywords needs-refresh removed
Refreshed patches includes changes only in build date, SHA checksum and one certificate removed (Certinomis - Root CA).
#18
@
5 years ago
- Keywords commit added
Thanks for the refreshed patches!
For some reason 45807-2-wp1024.diff didn't apply cleanly for me, 45807-3-wp1024.diff is another refresh.
Let's get this in while still early in the cycle to allow for more testing.
#19
@
5 years ago
- Owner set to SergeyBiryukov
- Resolution set to fixed
- Status changed from new to closed
In 46094:
Related: #30434