Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated cacert.pem #212

Closed
wants to merge 2 commits into from
Closed

Updated cacert.pem #212

wants to merge 2 commits into from

Conversation

lombo
Copy link

@lombo lombo commented May 20, 2016

We are now using an Apr 2016 version instead of a Dec 2012 one.

At least the COMODO RSA Certification Authority was missing.

@codecov-io
Copy link

codecov-io commented Aug 11, 2016
edited
Loading

Codecov Report

Merging #212 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #212   +/-   ##
=======================================
  Coverage   92.22%   92.22%           
=======================================
  Files          21       21           
  Lines        1762     1762           
=======================================
  Hits         1625     1625           
  Misses        137      137
Impacted Files Coverage Δ
library/Requests/Transport/fsockopen.php 94.11% <0%> (-0.59%) ⬇️
library/Requests/SSL.php 100% <0%> (+2.27%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1b5ffd8...f14aeee. Read the comment docs.

@haruair
Copy link

haruair commented Apr 10, 2018

It will be grateful to have this PR. I knew that there is $options['verify'] but just for the convenience. Could you consider this, @rmccue? Thanks!

@rmccue
Copy link
Collaborator

rmccue commented Apr 11, 2018

@dd32 Any chance you could take a look at updating the file? Don't want to break the compatibility things we had to alter last time.

@lombo
Copy link
Author

lombo commented Apr 11, 2018

@rmccue done!

@rmccue
Copy link
Collaborator

rmccue commented Apr 11, 2018

For compatibility with older versions of cURL, we've had to manually alter the file in the past to reorder certificates. @dd32 handled this last time, so I'm not sure of the exact process for it.

@dd32
Copy link
Member

dd32 commented Apr 11, 2018
edited
Loading

For the WordPress changes - as per https://core.trac.wordpress.org/log/trunk/src/wp-includes/certificates/ca-bundle.crt

Testing the change isn't easy, I believe I spun up known broken versions (see above) and found URLs which triggered the failure. The above commits may lead back to a site url which was affected at the time, but they've probably changed SSL certs by now.
Unfortunately I can't spend any time on verifying any of the above at this point.

@soulseekah
Copy link
Contributor

I have compiled the three versions of OpenSSL to test the Mozilla CACert.pem from Wed Mar 7 04:12:06 2018 GMT (SHA 704f02707ec6b4c4a7597a8c6039b020def11e64f3ef0605a9c3543d48038a57)

0.9.8e (no-asm)

We moved a certificate around in the file to allow an older OpenSSL to parse the file

The certificate is no longer at the top in latest bundle.

> openssl version  
OpenSSL 0.9.8e 23 Feb 2007

[ok] openssl s_client -CAfile ../cacert.pem -CApath /dev/null -host wordpress.org -port 443
[ok] openssl s_client -CAfile ../cacert.pem -CApath /dev/null -host www.id.ee -port 443
[ok] openssl s_client -CAfile ../cacert.pem -CApath /dev/null -host letencrypt.org -port 443
[ok] openssl s_client -CAfile ../cacert.pem -CApath /dev/null -host mozilla.org -port 443
[ok] openssl s_client -CAfile ../cacert.pem -CApath /dev/null -host api.mailchimp.com -port 443

1.0.1e (no-asm)

We include the legacy 1024bit certificates which have been removed

I think everyone switched to 2048 by now, couldn't find a host that still gives one. Thoughts?

> openssl version  
OpenSSL 1.0.1e 11 Feb 2013

[ok] openssl s_client -CAfile ../cacert.pem -CApath /dev/null -host wordpress.org -port 443
[ok] openssl s_client -CAfile ../cacert.pem -CApath /dev/null -host www.id.ee -port 443
[ok] openssl s_client -CAfile ../cacert.pem -CApath /dev/null -host letencrypt.org -port 443
[ok] openssl s_client -CAfile ../cacert.pem -CApath /dev/null -host mozilla.org -port 443
[ok] openssl s_client -CAfile ../cacert.pem -CApath /dev/null -host api.mailchimp.com -port 443
[ok] openssl s_client -CAfile ../cacert.pem -CApath /dev/null -host paypal.com -port 443

Any other endpoints or versions I should be testing?

P.S. Would be nice to have automated tests for updates to the CA file, I'll work on one I think.

@soulseekah
Copy link
Contributor

I've built a quick workbench here https://github.com/soulseekah/libssl-cacert-tests if anyone wants to send in more test certificates (preferably current ones that are encountered in the wild).

@pkoziol pkoziol mentioned this pull request May 4, 2018
Closed
@JC5
Copy link

JC5 commented May 7, 2018

I am curious why this is not yet merged.

@soulseekah soulseekah mentioned this pull request Sep 13, 2018
Closed
@patmead patmead mentioned this pull request May 15, 2020
Closed
@jrfnl
Copy link
Member

jrfnl commented Oct 18, 2020

Closing as fixed by #385

@jrfnl jrfnl closed this Oct 18, 2020
@jrfnl jrfnl mentioned this pull request Oct 18, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@lombo @codecov-io @haruair @rmccue @dd32 @soulseekah @JC5 @jrfnl