[wp-trac] [WordPress Trac] #34935: Removed SSL certificates causing errors in WP 4.4

WordPress Trac noreply at wordpress.org
Sun Dec 13 04:56:06 UTC 2015 

#34935: Removed SSL certificates causing errors in WP 4.4
------------------------------------+-----------------------
 Reporter:  DvanKooten              |       Owner:  rmccue
     Type:  defect (bug)            |      Status:  assigned
 Priority:  normal                  |   Milestone:  4.4.1
Component:  HTTP API                |     Version:  4.4
 Severity:  normal                  |  Resolution:
 Keywords:  has-patch https commit  |     Focuses:
------------------------------------+-----------------------
Changes (by rmccue):

 * keywords:  has-patch needs-testing https => has-patch https commit


Comment:

 Replying to [comment:17 toddlahman]:
 > Adding automated testing of different versions of cURL and OpenSSL with
 WordPress using HTTPS to connect to remote URLs, like an API, would help
 avoid these issues in the next release.

 It is a huge amount of effort to test different cURL and OpenSSL versions
 (as various versions need to be used); finding and verifying this bug took
 me ~4 hours, even using `git bisect`. Thankfully, this issue turned out to
 be an easy one caused by OpenSSL itself, which meant I only needed to
 rebuild OpenSSL and use the command line client `openssl s_client`; if
 this was caused by OpenSSL and cURL (or worse, PHP cURL) having issues
 together, it could have taken days just to find the issue.

 Testing every version of cURL and OpenSSL that's available isn't something
 we can do, which is why it's important for people to test release
 candidates.

 Replying to [comment:19 Kent Brockman]:
 > A well implemented ca-bundle.crt file demonstrated to do the magic. The
 tricky part is... keeping that .crt file up to date, given the lots of
 updates that may arise. All in all, is a foolproof solution. I bet that
 monitoring changes in a couple of git ca bundles (like this one:
 https://raw.githubusercontent.com/bagder/ca-
 bundle/e9175fec5d0c4d42de24ed6d84a06d504d5e5a09/ca-bundle.crt ) will be
 enough to keep up with it.

 We '''do''' monitor changes in the bundle, which is what caused this issue
 in the first place. The key of the issue is that Mozilla has decided to
 remove 1024 bit root certificates from their root (that bundle file is
 generated from it). Mozilla's software and infrastructure uses NSS (a
 different SSL library) that can handle alternate chains; OpenSSL 1.0.1l
 was the first version to introduce this to OpenSSL.

 Monitoring the upstream changes isn't enough when we also need to have
 compatibility with years old versions of OpenSSL.

 Replying to [comment:20 sneader]:
 > Hosting provider input here: Very standard cPanel shared hosting
 environment, running CentOS 6.7 OS with yum updates, as well as cPanel
 updates, every night. OpenSSL reports as version "1.0.1e-fips" but has
 backported patches (the most recent being June 23, 2015).

 It may be worth reporting this to CentOS, since 1024 bit root certificates
 are going away eventually. This is going to break certificates that rely
 on alternate chains. We will endeavour to keep supporting this, but I
 wouldn't be surprised when other software starts breaking too.

 ----

 Given that this patch is working, recommending for commit in 4.4.1.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34935#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list