[wp-trac] [WordPress Trac] #54207: ca-bundle.crt contains expired certificate DST Root CA X3
WordPress Trac
noreply at wordpress.org
Sat Oct 9 04:57:51 UTC 2021
#54207: ca-bundle.crt contains expired certificate DST Root CA X3
--------------------------+-----------------------------
Reporter: bradleyt | Owner: SergeyBiryukov
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 5.8.2
Component: Security | Version:
Severity: normal | Resolution:
Keywords: fixed-major | Focuses:
--------------------------+-----------------------------
Comment (by jnylen0):
I think I (mostly) figured it out. The fix in this ticket will work for
some sites but not all.
When the server is using cURL with an old version of OpenSSL, **and** the
expired DST Root certificate is still present in the system certificate
store, then the fix in this ticket is not enough to resolve the issue.
This is because cURL will always use the certificates in the system store,
even if another bundle is specified, and older versions of OpenSSL will
stop and report an error when they encounter an expired certificate chain.
I wrote a plugin that will fix/workaround this issue in the most secure
way possible for a given site: https://github.com/ClassicPress-research
/cp-ssl-fix
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54207#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list