Opened 4 years ago
Last modified 3 years ago
#50828 reviewing defect (bug)
Update ca-bundle.crt and remove expired certificates
Reported by: | barry | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | has-patch |
Focuses: | Cc: |
Description
The existing ca-bundle.crt
contains expired certificates which in older OpenSSL versions will prevent TLS connections even if there is another certificate chain option that is not expired. This patch syncs the bundle with the latest version from Mozilla, removing the expired certs, adding a few new ones, and keeping the 1024 bit certificates that were added for backwards compatibility in [35919]
It will be nice when we can use the upstream version as-is and update it with every release :)
Attachments (5)
Change History (36)
#3
follow-up:
↓ 7
@
4 years ago
@SergeyBiryukov I know it is RC, but is there any reason not to consider for 5.5 including as this will prevent the described issue.
Going forward, it would be nice to set this to update with an NPM command.
#7
in reply to:
↑ 3
;
follow-up:
↓ 9
@
4 years ago
Replying to desrosj:
@SergeyBiryukov I know it is RC, but is there any reason not to consider for 5.5 including as this will prevent the described issue.
Going forward, it would be nice to set this to update with an NPM command.
Wouldn't it be possible to store separate files for the 1024-bit certificates, and Mozilla/curl certificates in src/wp-includes/certificates
directory? The final ca-bundle.crt
file can then be built with a simple concat of the two files.
This way, we can make updates to CA bundle directly from Curl project (https://curl.haxx.se/ca/cacert.pem) without having to manually verify each update. As long as the content is verbatim, we know we have the up to date bundles.
As of now, the file sha checksum is not valid, and one would need to individually check each certificate to make sure no bits are changed. This is obviously not to say that the patch from @barry is not to be trusted.
#8
@
4 years ago
- Keywords has-patch added
Attaching a patch with the approach from the comment above.
1.Use verbatim copy of Mozilla certificates
The cacert.pem
file is a 1:1 copy of the Curl/Mozilla certificates. Future updates to this bundle can be made by simply downloading the latest cacert.pem
and cacert.pem.sha256
files and overwriting existing.
See:
- https://curl.haxx.se/ca/cacert.pem
- https://curl.haxx.se/ca/cacert.pem.sha256
- https://curl.haxx.se/docs/caextract.html
2.New legacy-1024bit.pem
file contains the legacy certificates
All legacy certificates in the ca-bundle.crt
file so far are moved to a new legacy-1024bit.pem
file. We can remove certificates when necessary without having to re-check the upstream 2048/2096 certificates in cacert.pem
file.
3.Removed expired certificates
The following 1024 bit certificates are expired and thus removed.
- June 20, 2020 - Equifax Secure Global eBusiness CA
- June 20, 2020 - Equifax Secure eBusiness CA 1
4.Create ca-bundle.crt
file by combining cacert.pem
and legacy-2014bit.pem
files
This is the original file name, so we ensure backwards compatibility.
Current legacy certificates
I checked all current legacy certificates to make sure they are valid and not revoked. All modern browsers will refuse to use the due to its hash algorithm, and them being 1024 bit (not to mention the whole Symantec mess), but OpenSSL 0.9 should still accept them provided a CRL is not objecting and OpenSSL configured to validate against an OCSP server.
Thawte Server CA
: https://crt.sh/?q=23E594945195F2414803B4D564D2A3A3F5D88B8CThawte Premium Server CA
: https://crt.sh/?q=627F8D7827656399D27D7F9044C9FEB3F33EFA9AVerisign Class 3 Public Primary Certification Authority
: https://crt.sh/?q=742C3192E607E424EB4549542BE1BBC53E6174E2Verisign Class 3 Public Primary Certification Authority - G2
: https://crt.sh/?q=85371CA6E550143DCE2803471BDE3A09E8F8770FVerisign Class 3 Public Primary Certification Authority
: https://crt.sh/?q=A1DB6393916F17E4185509400415C70240B0AE6B
The first two legacy certificates expire end of this year, perhaps just in time for WordPress 5.6.
#9
in reply to:
↑ 7
@
4 years ago
- Keywords dev-reviewed added; dev-feedback removed
Replying to ayeshrajans:
Wouldn't it be possible to store separate files for the 1024-bit certificates, and Mozilla/curl certificates in
src/wp-includes/certificates
directory? The finalca-bundle.crt
file can then be built with a simple concat of the two files.
This way, we can make updates to CA bundle directly from Curl project (https://curl.haxx.se/ca/cacert.pem) without having to manually verify each update. As long as the content is verbatim, we know we have the up to date bundles.
This looks great, but I think it's too big a change for 5.5 RC2 and would require more testing.
Let's get 50828.diff in for now and 50828-split-file-verbatim.patch early in 5.6.
#13
@
4 years ago
Thanks for bumping this to 5.6 and committing to 5.5 too, albeit it being RC2.
May I suggest that we remove these certificates from our store?
- America Online Root Certification Authority 1
- America Online Root Certification Authority 2
They were removed from Mozilla/curl store a while ago, and are 2048 bits. These two roots were requested to be removed (https://bugzilla.mozilla.org/show_bug.cgi?id=1083294) over 6 years ago, which is over the CA/B baseline requirements of maximum three year length. All certificates signed by this root must be technically expired by now.
- EE Certification Centre Root CA
This certificate is already in Mozilla/curl root store, and is a duplicate in our copy.
@
4 years ago
Attaching a patch that removes EE Certification Centre Root CA
, America Online Root Certification Authority 1
, and merica Online Root Certification Authority 2
root certificates (1 duplicate, 2 requested removals)
@
4 years ago
Out current ca-cert.pem
can be generated by applying this patch to any upstream CA root certificate store.
This ticket was mentioned in Slack in #core by helen. View the logs.
4 years ago
This ticket was mentioned in Slack in #core by helen. View the logs.
4 years ago
#17
@
4 years ago
- Milestone changed from 5.6 to 5.7
Didn't get a chance to review the latest patches in time for 5.6 RC, moving to the next release for now.
This ticket was mentioned in Slack in #core by chaion07. View the logs.
4 years ago
#20
@
4 years ago
- Keywords commit removed
- Milestone changed from 5.8 to Future Release
The latest patch needs review. It's been punted 2x. Moving it to Future Release
as today is 5.8 Beta 1.
#22
follow-up:
↓ 23
@
3 years ago
In attachment:50828.2.diff I added the mk-ca-bundle.pl script so that we can generate the certs during a build or release.
npm run cert:generate
will drop the bundle in the right spot. It feels weird to be running a Perl script with node, better than composer tho?
More details here on the script: https://curl.se/docs/mk-ca-bundle.html
#23
in reply to:
↑ 22
;
follow-up:
↓ 24
@
3 years ago
Replying to whyisjake:
In attachment:50828.2.diff I added the mk-ca-bundle.pl script so that we can generate the certs during a build or release.
Can the file be imported from somewhere directly instead of using perl? Note that it looks like that reverts the changes from https://core.trac.wordpress.org/ticket/34935#comment:10 which is something I no longer recall the details of.. other than that it was needed at the time.
Previously: [46094] / #45807.