Making WordPress.org

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#5917 closed defect (bug) (duplicate)

TLS Certificates in alternative domains

Reported by: javiercasares's profile JavierCasares Owned by:
Milestone: Priority: high
Component: SSL Keywords:
Cc:

Description

I was accessing wp.org and found an alert in my browser (Firefox) about the certificate mismatch.

Thereafter, checking the certificates, I found this:

wordpress.org

Common names: *.wordpress.org
Alternative names: *.wordpress.org wordpress.org

Everything looks good, although...

This server supports TLS 1.0 and TLS 1.1. We should think about changing that.

Also, using some weak Cipher Suites.

https://www.ssllabs.com/ssltest/analyze.html?d=wordpress.org&hideResults=on

w.org

Common names: *.w.org
Alternative names: *.w.org w.org

Same about TLS 1.0 and TLS 1.1. Also, using some weak Cipher Suites.

https://www.ssllabs.com/ssltest/analyze.html?d=w.org&hideResults=on

wp.org

Common names: *.wordpress.org
Alternative names: *.wordpress.org wordpress.org MISMATCH

Seems that this domain is not using the appropriate certificate.

https://www.ssllabs.com/ssltest/analyze.html?d=wp.org&hideResults=on

Please, check that :)

Change History (4)

#1 @dd32
3 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

See #5049 for the wp.org domain.

This server supports TLS 1.0 and TLS 1.1.
Also, using some weak Cipher Suites.

I believe this is mostly for compatibility, and is the same SSL configuration used for WordPress.com as well. I believe a number of PHP installations on OpenSSL 0.9x are also limited to the older ciphers - although I can't be sure, since every installation of OpenSSL could be different (and I don't have access to the SSL logs)

Systems have also removed insecure ciphers over time, but like I've mentioned, there's a limit to how much can be removed while also remaining compatible with existing clients (and it's not really worth splitting configuration for api/downloads from the rest of dotorg).

If there's any specific cipher you'd like to see removed, let us know :)

Apart from the the above, I'm going to close it as a duplicate of the above ticket for now.

#2 follow-up: @JavierCasares
3 years ago

About the ciphers, OK (no problem there)... About TLS 1.0 and 1.1, remember that are considered insecure as the IETF propose (RFC8996) https://datatracker.ietf.org/doc/rfc8996/ deprecating TLS 1.0 and TLS 1.1.

#3 in reply to: ↑ 2 ; follow-up: @dd32
3 years ago

Replying to JavierCasares:

About the ciphers, OK (no problem there)... About TLS 1.0 and 1.1, remember that are considered insecure as the IETF propose (RFC8996) https://datatracker.ietf.org/doc/rfc8996/ deprecating TLS 1.0 and TLS 1.1.

Looks like TLS 1.2 support was added in OpenSSL 1.0.1, unsure of what versions of that are actually used, #core48116 might help figure that out.

#4 in reply to: ↑ 3 @JavierCasares
3 years ago

More about "older" versions of OpenSSL (<=1.0.2)

https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

More about:

The latest stable version is the 3.0 series. Also available is the 1.1.1 series which is our Long Term Support (LTS) version, supported until 11th September 2023. All older versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of support and should not be used. Users of these older versions are encouraged to upgrade to 3.0 or 1.1.1 as soon as possible. Extended support for 1.0.2 to gain access to security fixes for that version is available.

Version 0, edited 3 years ago by JavierCasares (next)
Note: See TracTickets for help on using tickets.