[wp-trac] [WordPress Trac] #27742: Possibly revisit who is part of our trusted certificate authorities
WordPress Trac
noreply at wordpress.org
Thu Apr 10 00:53:29 UTC 2014
#27742: Possibly revisit who is part of our trusted certificate authorities
-------------------------------+------------------------------
Reporter: Denis-de-Bernardy | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: HTTP API | Version: 3.7
Severity: normal | Resolution:
Keywords: | Focuses:
-------------------------------+------------------------------
Comment (by dd32):
We've previously aligned to using the certificate bundle from the latest
Mozilla release, and as such, we recently removed a bunch of 1024bit SSL
roots accordingly - see #27017
We can and perhaps should switch to using Mozilla NSS directly, which has,
since the last stable Mozilla release added a few roots and removed 1.
We should ensure that we sync prior to release, so at beta is ideal, but I
think we should defer to NSS for what certificates to trust.
The certificate bundle can be rebuilt as such using the cURL bundle
creator:
{{{
wget https://raw2.github.com/bagder/curl/master/lib/mk-ca-bundle.pl
chmod +x mk-ca-bundle.pl
# For NSS direct:
./mk-ca-bundle.pl -d nss src/wp-includes/certificates/ca-bundle.crt
# For Mozilla latest release (default)
./mk-ca-bundle.pl src/wp-includes/certificates/ca-bundle.crt
}}}
for PHP 5.2 compatibility, r25569 must be manually applied to move the EE
cert to the start of the file.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27742#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list