WordPress.org

Make WordPress Core

Opened 11 months ago

Last modified 4 days ago

#50828 reviewing defect (bug)

Update ca-bundle.crt and remove expired certificates

Reported by: barry Owned by: SergeyBiryukov
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch
Focuses: Cc:

Description

The existing ca-bundle.crt contains expired certificates which in older OpenSSL versions will prevent TLS connections even if there is another certificate chain option that is not expired. This patch syncs the bundle with the latest version from Mozilla, removing the expired certs, adding a few new ones, and keeping the 1024 bit certificates that were added for backwards compatibility in [35919]

It will be nice when we can use the upstream version as-is and update it with every release :)

Attachments (4)

50828.diff (23.4 KB) - added by barry 11 months ago.
50828-split-file-verbatim.patch (265.7 KB) - added by ayeshrajans 11 months ago.
50828-additional-removals.patch (5.7 KB) - added by ayeshrajans 10 months ago.
Attaching a patch that removes EE Certification Centre Root CA, America Online Root Certification Authority 1, and merica Online Root Certification Authority 2 root certificates (1 duplicate, 2 requested removals)
wordpress-custom-1024bit-certificates.patch (8.5 KB) - added by ayeshrajans 10 months ago.
Out current ca-cert.pem can be generated by applying this patch to any upstream CA root certificate store.

Download all attachments as: .zip

Change History (24)

@barry
11 months ago

#1 @SergeyBiryukov
11 months ago

  • Component changed from General to Security

Previously: [46094] / #45807.

#2 @SergeyBiryukov
11 months ago

  • Milestone changed from Awaiting Review to 5.6

#3 follow-up: @desrosj
11 months ago

@SergeyBiryukov I know it is RC, but is there any reason not to consider for 5.5 including as this will prevent the described issue.

Going forward, it would be nice to set this to update with an NPM command.

#4 @SergeyBiryukov
11 months ago

  • Milestone changed from 5.6 to 5.5

#5 @barry
11 months ago

FWIW, we are running this update on WordPress.com already.

#6 @whyisjake
11 months ago

  • Keywords commit dev-feedback added

#7 in reply to: ↑ 3 ; follow-up: @ayeshrajans
11 months ago

Replying to desrosj:

@SergeyBiryukov I know it is RC, but is there any reason not to consider for 5.5 including as this will prevent the described issue.

Going forward, it would be nice to set this to update with an NPM command.

Wouldn't it be possible to store separate files for the 1024-bit certificates, and Mozilla/curl certificates in src/wp-includes/certificates directory? The final ca-bundle.crt file can then be built with a simple concat of the two files.

This way, we can make updates to CA bundle directly from Curl project (https://curl.haxx.se/ca/cacert.pem) without having to manually verify each update. As long as the content is verbatim, we know we have the up to date bundles.

As of now, the file sha checksum is not valid, and one would need to individually check each certificate to make sure no bits are changed. This is obviously not to say that the patch from @barry is not to be trusted.

#8 @ayeshrajans
11 months ago

  • Keywords has-patch added

Attaching a patch with the approach from the comment above.

1.Use verbatim copy of Mozilla certificates

The cacert.pem file is a 1:1 copy of the Curl/Mozilla certificates. Future updates to this bundle can be made by simply downloading the latest cacert.pem and cacert.pem.sha256 files and overwriting existing.

See:

2.New legacy-1024bit.pem file contains the legacy certificates

All legacy certificates in the ca-bundle.crt file so far are moved to a new legacy-1024bit.pem file. We can remove certificates when necessary without having to re-check the upstream 2048/2096 certificates in cacert.pem file.

3.Removed expired certificates

The following 1024 bit certificates are expired and thus removed.

  • June 20, 2020 - Equifax Secure Global eBusiness CA
  • June 20, 2020 - Equifax Secure eBusiness CA 1

4.Create ca-bundle.crt file by combining cacert.pem and legacy-2014bit.pem files

This is the original file name, so we ensure backwards compatibility.

Current legacy certificates

I checked all current legacy certificates to make sure they are valid and not revoked. All modern browsers will refuse to use the due to its hash algorithm, and them being 1024 bit (not to mention the whole Symantec mess), but OpenSSL 0.9 should still accept them provided a CRL is not objecting and OpenSSL configured to validate against an OCSP server.

The first two legacy certificates expire end of this year, perhaps just in time for WordPress 5.6.

#9 in reply to: ↑ 7 @SergeyBiryukov
11 months ago

  • Keywords dev-reviewed added; dev-feedback removed

Replying to ayeshrajans:

Wouldn't it be possible to store separate files for the 1024-bit certificates, and Mozilla/curl certificates in src/wp-includes/certificates directory? The final ca-bundle.crt file can then be built with a simple concat of the two files.

This way, we can make updates to CA bundle directly from Curl project (https://curl.haxx.se/ca/cacert.pem) without having to manually verify each update. As long as the content is verbatim, we know we have the up to date bundles.

This looks great, but I think it's too big a change for 5.5 RC2 and would require more testing.

Let's get 50828.diff in for now and 50828-split-file-verbatim.patch early in 5.6.

#10 @SergeyBiryukov
11 months ago

In 48707:

HTTP: Update the Root Certificate bundle.

Keep 1024-bit legacy root certificates re-added in [35919], except for those already expired, for compatibility with older OpenSSL versions.

Props barry, ayeshrajans, desrosj, whyisjake.
See #50828.

#11 @SergeyBiryukov
11 months ago

In 48708:

HTTP: Update the Root Certificate bundle.

Keep 1024-bit legacy root certificates re-added in [35919], except for those already expired, for compatibility with older OpenSSL versions.

Props barry, ayeshrajans, desrosj, whyisjake.
Reviewed by whyisjake, SergeyBiryukov.
Merges [48707] to the 5.5 branch.
See #50828.

#12 @SergeyBiryukov
11 months ago

  • Keywords dev-reviewed removed
  • Milestone changed from 5.5 to 5.6

#13 @ayeshrajans
10 months ago

Thanks for bumping this to 5.6 and committing to 5.5 too, albeit it being RC2.

May I suggest that we remove these certificates from our store?

  • America Online Root Certification Authority 1
  • America Online Root Certification Authority 2

They were removed from Mozilla/curl store a while ago, and are 2048 bits. These two roots were requested to be removed (https://bugzilla.mozilla.org/show_bug.cgi?id=1083294) over 6 years ago, which is over the CA/B baseline requirements of maximum three year length. All certificates signed by this root must be technically expired by now.

  • EE Certification Centre Root CA

This certificate is already in Mozilla/curl root store, and is a duplicate in our copy.

Last edited 10 months ago by ayeshrajans (previous) (diff)

@ayeshrajans
10 months ago

Attaching a patch that removes EE Certification Centre Root CA, America Online Root Certification Authority 1, and merica Online Root Certification Authority 2 root certificates (1 duplicate, 2 requested removals)

@ayeshrajans
10 months ago

Out current ca-cert.pem can be generated by applying this patch to any upstream CA root certificate store.

This ticket was mentioned in Slack in #core by helen. View the logs.


9 months ago

#15 @SergeyBiryukov
9 months ago

  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

This ticket was mentioned in Slack in #core by helen. View the logs.


8 months ago

#17 @SergeyBiryukov
7 months ago

  • Milestone changed from 5.6 to 5.7

Didn't get a chance to review the latest patches in time for 5.6 RC, moving to the next release for now.

#18 @SergeyBiryukov
4 months ago

  • Milestone changed from 5.7 to 5.8

This ticket was mentioned in Slack in #core by chaion07. View the logs.


10 days ago

#20 @hellofromTonya
4 days ago

  • Keywords commit removed
  • Milestone changed from 5.8 to Future Release

The latest patch needs review. It's been punted 2x. Moving it to Future Release as today is 5.8 Beta 1.

Note: See TracTickets for help on using tickets.