Commit Graph

12 Commits

Author SHA1 Message Date
Sergey Biryukov
b5f1eb9103 HTTP: Remove the DST Root CA X3 certificate expired on September 30, 2021.
> The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.
> 
> Most up-to-date CA cert trusted bundles, as provided by operating systems, contain this soon-to-be-expired certificate. The current CA cert bundles also contain an ISRG Root X1 self-signed certificate. This means that clients verifying certificate chains can find the alternative non-expired path to the ISRG Root X1 self-signed certificate in their trust store.
> 
> Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers the untrusted chain and if that chain contains a path that leads to an expired trusted root certificate (DST Root CA X3), it will be selected for the certificate verification and the expiration will be reported.

References:
* [https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2]
* [https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ DST Root CA X3 Expiration (September 2021)]

Follow-up to [25224], [25426], [25569], [27307], [30491], [30765], [34283], [35919], [36570], [46094].

Props bradleyt, fierevere.
Fixes #54207. See #50828.
Built from https://develop.svn.wordpress.org/trunk@51883


git-svn-id: http://core.svn.wordpress.org/trunk@51476 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-10-03 17:51:06 +00:00
Sergey Biryukov
90672b07ab HTTP: Update the Root Certificate bundle.
Keep 1024-bit legacy root certificates re-added in [35919], except for those already expired, for compatibility with older OpenSSL versions.

Props barry, ayeshrajans, desrosj, whyisjake.
See #50828.
Built from https://develop.svn.wordpress.org/trunk@48707


git-svn-id: http://core.svn.wordpress.org/trunk@48469 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-08-01 14:09:06 +00:00
Sergey Biryukov
b552f449db HTTP: Update the Root Certificate bundle.
Keep 1024-bit legacy root certificates re-added in [35919], except for those already expired, for compatibility with older OpenSSL versions.

Props skithund, paragoninitiativeenterprises.
Fixes #45807.
Built from https://develop.svn.wordpress.org/trunk@46094


git-svn-id: http://core.svn.wordpress.org/trunk@45906 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-12 12:04:59 +00:00
Drew Jaynes
b1804afeaf Docs: Standardize on 'backward compatibility/compatible' nomenclature in core inline docs.
Also use 'back-compat' in some inline comments where backward compatibility is the subject and shorthand feels more natural.

Note: 'backwards compatibility/compatibile' can also be considered correct, though it's primary seen in regular use in British English.

Props ocean90.
Fixes #36835.

Built from https://develop.svn.wordpress.org/trunk@37431


git-svn-id: http://core.svn.wordpress.org/trunk@37397 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-13 18:41:31 +00:00
Dion Hulse
04ad9e674d HTTP API: Certificate bundle: Attempt to move a certificate lower in the file to allow older OpenSSL versions to parse it & communicate with WordPress.org securely again.
The OpenSSL version which was failing in this case was `OpenSSL 0.9.8e 23 Feb 2007`.

See #35637 #30434 #25007

Built from https://develop.svn.wordpress.org/trunk@36570


git-svn-id: http://core.svn.wordpress.org/trunk@36537 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-18 08:21:28 +00:00
Dion Hulse
e8b2a769ee HTTP: Partially revert [34283] which removed the 1024bit certificates from our trust store.
Most browsers no longer trust 1024bit certificates, or certificates signed by them, instead verifying them by a trusted intermediate or a cross-sign from another trusted certificate.

Unfortunately, as it turns out, OpenSSL prior to 1.0.1g cannot correctly handle certificates chains such as this, even if one of the intermediates is trusted.
The solution is that we need to continue to trust the 1024bit legacy root certificates forthe foreseeable future

This adds the following certificates back into our trust store:
{{{
GTE CyberTrust Global Root
Thawte Server CA
Thawte Premium Server CA
Verisign Class 3 Public Primary Certification Authority
Verisign Class 3 Public Primary Certification Authority - G2
ValiCert Class 1 VA
ValiCert Class 2 VA
RSA Root Certificate 1
Entrust.net Secure Server CA
Equifax Secure Global eBusiness CA
Equifax Secure eBusiness CA 1
America Online Root Certification Authority 1
America Online Root Certification Authority 2
NetLock Business (Class B) Root
NetLock Express (Class C) Root
Verisign Class 3 Public Primary Certification Authority
}}}

Props rmccue
Fixes #34935 for trunk.

Built from https://develop.svn.wordpress.org/trunk@35919


git-svn-id: http://core.svn.wordpress.org/trunk@35883 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-14 05:20:28 +00:00
Dion Hulse
9f61845204 HTTP: Update the Root Certificate bundle.
See #30434

Built from https://develop.svn.wordpress.org/trunk@34283


git-svn-id: http://core.svn.wordpress.org/trunk@34247 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-18 08:43:26 +00:00
Dion Hulse
26b85eb9b3 WP_HTTP: Revert r30491 which updated the bundled root certificates. There's a report that this is breaking under certain PHP/OpenSSL versions (which we've encountered before), and we're safer with a slighty out of date CA bundle than breaking HTTPS communication on affected sites.
See #30434

Built from https://develop.svn.wordpress.org/trunk@30765


git-svn-id: http://core.svn.wordpress.org/trunk@30755 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-07 03:13:22 +00:00
Dion Hulse
330ab9d484 Update the bundled root CA's used for outgoing HTTPS requests.
Fixes #30434

Built from https://develop.svn.wordpress.org/trunk@30491


git-svn-id: http://core.svn.wordpress.org/trunk@30480 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-21 03:03:22 +00:00
Dion Hulse
d55eb3901c WP_HTTP: Update the Root Certificate bundle used for SSL communication by WP_HTTP.
This file has been generated from the latest mozilla release NSS.
Fixes #27017

Built from https://develop.svn.wordpress.org/trunk@27307


git-svn-id: http://core.svn.wordpress.org/trunk@27160 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-02-27 02:33:14 +00:00
Dion Hulse
a40b05fc0b Move a certificate higher in the file (end to start) so that PHP 5.2.x (OpenSSL 0.9.8j and earlier) can parse the file correctly. See #25007
Built from https://develop.svn.wordpress.org/trunk@25569


git-svn-id: http://core.svn.wordpress.org/trunk@25487 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-23 13:59:11 +00:00
Dion Hulse
3ac572867e WP_HTTP: Replacing the Fsockopen & Streams Transports with a new Streams transport which fully supports HTTPS communication.
This changeset also bundles ca-bundle.crt from the Mozilla project to allow for us to verify SSL certificates on hosts which have an incomplete, outdated, or invalid local SSL configuration.
Props rmccue for major assistance getting this this far. See #25007 for discussion, also Fixes #16606 

Built from https://develop.svn.wordpress.org/trunk@25224


git-svn-id: http://core.svn.wordpress.org/trunk@25194 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-04 04:49:12 +00:00