[wp-trac] [WordPress Trac] #50828: Update ca-bundle.crt and remove expired certificates
WordPress Trac
noreply at wordpress.org
Sat Aug 1 08:58:33 UTC 2020
#50828: Update ca-bundle.crt and remove expired certificates
---------------------------------+---------------------
Reporter: barry | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.5
Component: Security | Version:
Severity: normal | Resolution:
Keywords: commit dev-feedback | Focuses:
---------------------------------+---------------------
Comment (by ayeshrajans):
Replying to [comment:3 desrosj]:
> @SergeyBiryukov I know it is RC, but is there any reason not to consider
for 5.5 including as this will prevent the described issue.
>
> Going forward, it would be nice to set this to update with an NPM
command.
Wouldn't it be possible to store separate files for the 1024-bit
certificates, and Mozilla/curl certificates in `src/wp-
includes/certificates` directory? The final `ca-bundle.crt` file can then
be built with a simple concat of the two files.
This way, we can make updates to CA bundle directly from Curl project
(https://curl.haxx.se/ca/cacert.pem) without having to manually verify
each update. As long as the content is verbatim, we know we have the up to
date bundles.
As of now, the file sha checksum is not valid, and one would need to
individually check each certificate to make sure no bits are changed. This
is obviously not to say that the patch from @barry is not to be trusted.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50828#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list