[wp-trac] [WordPress Trac] #52614: Cloudflare Root Certificate Missing

WordPress Trac noreply at wordpress.org
Wed Mar 17 14:39:08 UTC 2021 

#52614: Cloudflare Root Certificate Missing
-----------------------------+------------------------------
 Reporter:  thesimarchitect  |       Owner:  (none)
     Type:  defect (bug)     |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Security         |     Version:
 Severity:  minor            |  Resolution:
 Keywords:  close            |     Focuses:
-----------------------------+------------------------------

Comment (by desrosj):

 > I don't understand why it's not included or mentioned by many people
 considering the massive number of WordPress & Cloudflare combination
 users...

 It wasn't 100% clear for me either, so I've done some investigating. Here
 is a breakdown that should help clarify this.

 The certificates bundled in WordPress are an adjusted copy of the
 [https://wiki.mozilla.org/CA/Included_Certificates Mozilla root CA
 certificate list] distributed in their certdata.txt file with some
 modifications to include some older 1024bit certificates for backwards
 compatibility.

 #50828 aims to make some changes to make updating the certificate list
 shipped with WordPress easier.
 - Use the copy of the Mozilla CA certificate list from cURL (which
 maintains the [https://curl.se/docs/caextract.html Mozilla CA certificate
 store in PEM format]).
 - Maintain a separate file for legacy certificates.
 - Combine the two files into one `ca-bundle.crt` file that is shipped in
 Core.

 The missing link here is that either:
 - Mozilla needs to add Cloudflare's root certificate to their bundle.
 - WordPress needs to add a third file containing other trusted
 certificates that gets merged into the final `ca-bundle.crt` file.

 As @ayeshrajans noted above though, the second option could potentially be
 a security vulnerability, so I'm not sure it's the best option.

 I'm currently trying to find some answers to how Mozilla adds certificates
 to their list, and if there has been any past discussions/decisions to not
 include their certificate.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52614#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list