WordPress.org

Making WordPress.org

Opened 3 years ago

Last modified 3 years ago

#632 new defect

Unknown message digest algorithm

Reported by: johnbillion Owned by:
Milestone: Priority: normal
Component: SSL Keywords:
Cc:

Description

Reported on #WP29816. The following error is preventing a user from updating to 4.0 when the install attempts to download the ZIP file over HTTPS:

error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm

This sounds to me like an incompatibility with whichever version of openssl is on the host server and the message digest algorithm used by wordpress.org.

Change History (3)

#1 @Otto42
3 years ago

That error is caused by the server having an older version of curl (or the curl PHP library) with an outdated version of OpenSSL, which lacks support for certificates using the "sha256WithRSAEncryption" signature algorithm.

The WordPress.org certificate uses sha256WithRSAEncryption.

So, this is probably a wontfix. The user or host needs to update to a modern version of curl and openSSL. The use of SHA-1 is deprecated for certificates, and most CAs have moved on to not issue them anymore. By 2016, there should be almost no certificates using it, so his version of curl/openSSL will stop working by then anyway.

More to the point, even Google is trying to kill off SHA-1. So, it's bound to happen eventually. Everybody gotta upgrade.

http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

Last edited 3 years ago by Otto42 (previous) (diff)

#2 @dd32
3 years ago

This is probably a wontfix, however, it'd be interesting to know where the cutoff is, some hosts run modern PHP with severely outdated cURL installs, and if we can easily say that "support was added in 2005 for sha256WithRSAEncryption" then it's a lot easier to blame the host.

#3 @Otto42
3 years ago

OpenSSL 0.9.8o and 1.0.0a (1 Jun 2010) added the default-to-on support for the SHA2 library of algorithms wrt SSL.

https://www.openssl.org/docs/ssl/SSL_library_init.html

OpenSSL 0.9.8o and 1.0.0a and later added SHA2 algorithms to SSL_library_init(). Applications which need to use SHA2 in earlier versions of OpenSSL should call OpenSSL_add_all_algorithms() as well.

However, it appears that every version of 0.9.8 and up (5 Jul 2005) had optional support for it, if you called the OpenSSL_add_all_algorithms() function:
http://marc.info/?l=openssl-users&m=135355590501495&w=2

Curl appears to have added this particular call to their trunk code in 2009:
http://sourceforge.net/p/curl/bugs/848/

Note: See TracTickets for help on using tickets.