[wp-trac] [WordPress Trac] #34935: Removed SSL certificates causing errors in WP 4.4

WordPress Trac noreply at wordpress.org
Fri Dec 11 07:06:22 UTC 2015 

#34935: Removed SSL certificates causing errors in WP 4.4
-------------------------------------+-----------------------
 Reporter:  DvanKooten               |       Owner:  rmccue
     Type:  defect (bug)             |      Status:  assigned
 Priority:  normal                   |   Milestone:  4.4.1
Component:  HTTP API                 |     Version:  4.4
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-testing  |     Focuses:
-------------------------------------+-----------------------
Changes (by rmccue):

 * keywords:   => has-patch needs-testing
 * owner:   => rmccue
 * status:  new => assigned


Comment:

 Managed to replicate using OpenSSL only from the command line. Appears to
 be broken in 1.0.1e and fixed in 1.0.1q, so some `git bisect` magic lead
 me to
 [https://github.com/openssl/openssl/commit/f7bf8e02dfcb2c02bc12a59276d0a3ba43e6c204
 this commit]. This then lead me on to
 [https://rt.openssl.org/Ticket/Display.html?id=3621 this ticket];
 [https://rt.openssl.org/Ticket/Display.html?id=3621#txn-49999 this
 comment] goes into specifics about it:

   Recently, Mozilla has started to cleanup the Mozilla CA trust list and
   remove CA certificates that use a weaker 1024-bit RSA key. I'll call
   them legacy CAs.[[BR]][[BR]]
   When upgrading the trust store used by openssl to exclude the legacy CA
   certificates, by default, openssl (e.g. s_client) can no longer verify
   the server certificate of several popular SSL/TLS servers, examples are
   www.flickr.com and www.amazon.com.

 The cURL page for the certificate bundle also mentions this:

   RSA-1024 removed[[BR]][[BR]]
   Around early September 2014, Mozilla removed the trust bits from the
 certs in their CA bundle that were still using RSA 1024 bit keys. This may
 lead to TLS libraries having a hard time to verify some sites if the
 library in question doesn't properly support "path discovery" as per RFC
 4158. (That includes OpenSSL and GnuTLS.)

 [https://github.com/bagder/ca-
 bundle/blob/e9175fec5d0c4d42de24ed6d84a06d504d5e5a09/ca-bundle.crt This
 file] is linked as the last version built from the NSS store before they
 started removing these certs.

 These certificates have been removed for being 1024-bit:
 * GTE CyberTrust Global Root
 * Thawte Server CA
 * Thawte Premium Server CA
 * Verisign Class 3 Public Primary Certification Authority
 * Verisign Class 3 Public Primary Certification Authority - G2
 * ValiCert Class 1 VA
 * ValiCert Class 2 VA
 * ValiCert Class 3 VA (incorrectly called
 [https://bugzilla.mozilla.org/show_bug.cgi?id=592984 RSA Root Certificate
 1)]
 * Entrust.net Secure Server CA
 * Equifax Secure Global eBusiness CA
 * Equifax Secure eBusiness CA 1
 * NetLock Business (Class B) Root
 * NetLock Express (Class C) Root
 * Verisign Class 3 Public Primary Certification Authority

 (Importantly, note that "Verisign Class 3 Public Primary Certification
 Authority - G2" is the current root certificate for `api.paypal.com`.)

 After some more checking, the removed ones are all 1024 bit, with the
 exception of the following (links to reasoning for removal):
 * [https://bugzilla.mozilla.org/show_bug.cgi?id=592984 RSA Root
 Certificate 1]
 * [https://bugzilla.mozilla.org/show_bug.cgi?id=1083294 America Online
 Root Certification Authority 1]
 * [https://bugzilla.mozilla.org/show_bug.cgi?id=1083294 America Online
 Root Certification Authority 2]
 * [https://bugzilla.mozilla.org/show_bug.cgi?id=1020729 TDC Internet Root
 CA]
 * [https://bugzilla.mozilla.org/show_bug.cgi?id=1013572 AC Raíz
 Certicámara S.A.]
 * [https://bugzilla.mozilla.org/show_bug.cgi?id=850740 TC TrustCenter
 Class 3 CA II]
 * [https://bugzilla.mozilla.org/show_bug.cgi?id=1145270 E-Guven Kok
 Elektronik Sertifika Hizmet Saglayicisi]

 Therefore: I believe we should be able to take our existing bundle, and
 pull the 1024 bit certificates back in.

 Attaching patched version of the CA bundle that adds the 1024 bit
 certificates back; this fixes resolution for me via OpenSSL on the command
 line, but needs testing on a site that's broken.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34935#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list