#5917 closed defect (bug) (duplicate)
TLS Certificates in alternative domains
Reported by: | JavierCasares | Owned by: | |
---|---|---|---|
Milestone: | Priority: | high | |
Component: | SSL | Keywords: | |
Cc: |
Description
I was accessing wp.org and found an alert in my browser (Firefox) about the certificate mismatch.
Thereafter, checking the certificates, I found this:
wordpress.org
Common names: *.wordpress.org
Alternative names: *.wordpress.org wordpress.org
Everything looks good, although...
This server supports TLS 1.0 and TLS 1.1. We should think about changing that.
Also, using some weak Cipher Suites.
https://www.ssllabs.com/ssltest/analyze.html?d=wordpress.org&hideResults=on
w.org
Common names: *.w.org
Alternative names: *.w.org w.org
Same about TLS 1.0 and TLS 1.1. Also, using some weak Cipher Suites.
https://www.ssllabs.com/ssltest/analyze.html?d=w.org&hideResults=on
wp.org
Common names: *.wordpress.org
Alternative names: *.wordpress.org wordpress.org MISMATCH
Seems that this domain is not using the appropriate certificate.
https://www.ssllabs.com/ssltest/analyze.html?d=wp.org&hideResults=on
Please, check that :)
Change History (4)
#2
follow-up:
↓ 3
@
3 years ago
About the ciphers, OK (no problem there)... About TLS 1.0 and 1.1, remember that are considered insecure as the IETF propose (RFC8996) https://datatracker.ietf.org/doc/rfc8996/ deprecating TLS 1.0 and TLS 1.1.
#3
in reply to:
↑ 2
;
follow-up:
↓ 4
@
3 years ago
Replying to JavierCasares:
About the ciphers, OK (no problem there)... About TLS 1.0 and 1.1, remember that are considered insecure as the IETF propose (RFC8996) https://datatracker.ietf.org/doc/rfc8996/ deprecating TLS 1.0 and TLS 1.1.
Looks like TLS 1.2 support was added in OpenSSL 1.0.1, unsure of what versions of that are actually used, #core48116 might help figure that out.
#4
in reply to:
↑ 3
@
3 years ago
More about "older" versions of OpenSSL (<=1.0.2)
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
More about:
The latest stable version is the 3.0 series. Also available is the 1.1.1 series which is our Long Term Support (LTS) version, supported until 11th September 2023. All older versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of support and should not be used. Users of these older versions are encouraged to upgrade to 3.0 or 1.1.1 as soon as possible. Extended support for 1.0.2 to gain access to security fixes for that version is available.
See #5049 for the wp.org domain.
I believe this is mostly for compatibility, and is the same SSL configuration used for WordPress.com as well. I believe a number of PHP installations on OpenSSL 0.9x are also limited to the older ciphers - although I can't be sure, since every installation of OpenSSL could be different (and I don't have access to the SSL logs)
Systems have also removed insecure ciphers over time, but like I've mentioned, there's a limit to how much can be removed while also remaining compatible with existing clients (and it's not really worth splitting configuration for api/downloads from the rest of dotorg).
If there's any specific cipher you'd like to see removed, let us know :)
Apart from the the above, I'm going to close it as a duplicate of the above ticket for now.