[wp-trac] [WordPress Trac] #50828: Update ca-bundle.crt and remove expired certificates
WordPress Trac
noreply at wordpress.org
Wed Nov 10 02:14:18 UTC 2021
#50828: Update ca-bundle.crt and remove expired certificates
--------------------------+-----------------------------
Reporter: barry | Owner: SergeyBiryukov
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: Future Release
Component: Security | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
--------------------------+-----------------------------
Comment (by desrosj):
In [changeset:"52100" 52100]:
{{{
#!CommitTicketReference repository="" revision="52100"
HTTP: Remove the DST Root CA X3 certificate expired on September 30, 2021.
> The currently recommended certificate chain as presented to Let’s
Encrypt ACME clients when new certificates are issued contains an
intermediate certificate (ISRG Root X1) that is signed by an old DST Root
CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL
1.0.2 version will regard the certificates issued by the Let’s Encrypt CA
as having an expired trust chain.
>
> Most up-to-date CA cert trusted bundles, as provided by operating
systems, contain this soon-to-be-expired certificate. The current CA cert
bundles also contain an ISRG Root X1 self-signed certificate. This means
that clients verifying certificate chains can find the alternative non-
expired path to the ISRG Root X1 self-signed certificate in their trust
store.
>
> Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers
the untrusted chain and if that chain contains a path that leads to an
expired trusted root certificate (DST Root CA X3), it will be selected for
the certificate verification and the expiration will be reported.
References:
* [https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2]
* [https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
DST Root CA X3 Expiration (September 2021)]
Follow-up to [25224], [25426], [25569], [27307], [30491], [30765],
[34283], [35919], [36570], [46094].
Props bradleyt, fierevere, SergeyBiryukov, peterwilsoncc.
Merges [51883] to the 5.4 branch.
Fixes #54207. See #50828.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50828#comment:29>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list