Make WordPress Core

Opened 3 weeks ago

Closed 5 days ago

#62811 closed defect (bug) (fixed)

Update bundled root certificates for 6.8

Reported by: desrosj's profile desrosj Owned by:
Milestone: 6.8 Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch
Focuses: Cc:

Description (last modified by desrosj)

This ticket is for updating the Root Certificates bundle included in WordPress Core for the 6.8 release cycle.

Previously:

Note: Some unexpired legacy 1024-bit certificates are included manually for backwards compatibility. See [35919].

Change History (11)

This ticket was mentioned in PR #8134 on WordPress/wordpress-develop by @desrosj.


3 weeks ago
#1

This updates the bundled root certificates that ship with WordPress Core by syncing the latest upstream changes from Mozilla as of December 31, 2024.

This also removes several expired legacy certificates that were included for backwards compatibility.

Trac ticket: https://core.trac.wordpress.org/ticket/62811

@skithund commented on PR #8134:


3 weeks ago
#2

Cybertrust Global Root has also expired in 2021-12-15

@desrosj commented on PR #8134:


3 weeks ago
#3

Thanks @todeveni! Updated.

#4 @desrosj
3 weeks ago

The attached PR removes the following legacy certificates:

  • Cybertrust Global Root - 2021-12-15
  • Thawte Server CA - 2020-12-31
  • Thawte Premium Server CA - 2020-12-31

#5 @johnbillion
3 weeks ago

  • Type changed from defect (bug) to task (blessed)

#6 @desrosj
3 weeks ago

  • Description modified (diff)
  • Type changed from task (blessed) to defect (bug)

#7 @desrosj
3 weeks ago

  • Description modified (diff)

@johnbillion commented on PR #8134:


11 days ago
#8

Recommending that this is closed in favour of #8137.

@desrosj commented on PR #8134:


10 days ago
#9

Recommending that this is closed in favour of #8137.

Works for me. My initial thinking was to separate the build process and the actual update of the certificates. But don't feel strongly about that at all.

#10 @desrosj
9 days ago

In 59740:

Security: Introduce Grunt task for updating Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations. To date, updates have only been merged into Core when problems arise using a highly manual process.

This introduces the certificates:upgrade Grunt task to automate the process of updating the included bundle with upstream changes using Composer to manage versioning.

The legacy 1024bit certificates included for backwards compatibility are now maintained in a separate file that is prepended to the built version of the bundle during the relevant Grunt tasks. Some expired certificates from this list have been removed:

  • Cybertrust Global Root (expired 2021-12-15)
  • Thawte Server CA (expired 2020-12-31)
  • Thawte Premium Server CA (expired 2020-12-31)

The Dependabot configuration has also been updated to open pull requests when new releases occur upstream. Going forward, the recommendation is to create a task ticket for updating these certificates with each release when an update is published. See #62811 for an example of this.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
Fixes #62812. See #62811, 50828.

#11 @johnbillion
5 days ago

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.