[wp-trac] [WordPress Trac] #50828: Update ca-bundle.crt and remove expired certificates
WordPress Trac
noreply at wordpress.org
Sat Aug 1 10:02:02 UTC 2020
#50828: Update ca-bundle.crt and remove expired certificates
-------------------------------------------+---------------------
Reporter: barry | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.5
Component: Security | Version:
Severity: normal | Resolution:
Keywords: commit dev-feedback has-patch | Focuses:
-------------------------------------------+---------------------
Changes (by ayeshrajans):
* keywords: commit dev-feedback => commit dev-feedback has-patch
Comment:
Attaching a patch with the approach from the comment above.
**1.Use verbatim copy of Mozilla certificates**
The `cacert.pem` file is a 1:1 copy of the Curl/Mozilla certificates.
Future updates to this bundle can be made by simply downloading the latest
`cacert.pem` and `cacert.pem.sha256` files and overwriting existing.
See:
- https://curl.haxx.se/ca/cacert.pem
- https://curl.haxx.se/ca/cacert.pem.sha256
- https://curl.haxx.se/docs/caextract.html
**2.New `legacy-1024bit.pem` file contains the legacy certificates**
All legacy certificates in the `ca-bundle.crt` file so far are moved to a
new `legacy-1024bit.pem` file. We can remove certificates when necessary
without having to re-check the upstream 2048/2096 certificates in
`cacert.pem` file.
**3.Removed expired certificates**
The following 1024 bit certificates are expired and thus removed.
- June 20, 2020 - Equifax Secure Global eBusiness CA
- June 20, 2020 - Equifax Secure eBusiness CA 1
**4.Create `ca-bundle.crt` file by combining `cacert.pem` and `legacy-
2014bit.pem` files**
This is the original file name, so we ensure backwards compatibility.
**Current legacy certificates**
I checked all current legacy certificates to make sure they are valid and
not revoked. All modern browsers will refuse to use the due to its hash
algorithm, and them being 1024 bit (not to mention the whole Symantec
mess), but OpenSSL 0.9 should still accept them provided a CRL is not
objecting and OpenSSL configured to validate against an OCSP server.
- `Thawte Server CA`:
https://crt.sh/?q=23E594945195F2414803B4D564D2A3A3F5D88B8C
- `Thawte Premium Server CA`:
https://crt.sh/?q=627F8D7827656399D27D7F9044C9FEB3F33EFA9A
- `Verisign Class 3 Public Primary Certification Authority`:
https://crt.sh/?q=742C3192E607E424EB4549542BE1BBC53E6174E2
- `Verisign Class 3 Public Primary Certification Authority - G2`:
https://crt.sh/?q=85371CA6E550143DCE2803471BDE3A09E8F8770F
- `Verisign Class 3 Public Primary Certification Authority`:
https://crt.sh/?q=A1DB6393916F17E4185509400415C70240B0AE6B
The first two legacy certificates expire end of this year, perhaps just in
time for WordPress 5.6.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50828#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list