Making WordPress.org

Opened 10 years ago

Closed 7 years ago

#632 closed defect (bug) (wontfix)

Unknown message digest algorithm

Reported by: johnbillion's profile johnbillion Owned by:
Milestone: Priority: normal
Component: SSL Keywords:
Cc:

Description

Reported on #WP29816. The following error is preventing a user from updating to 4.0 when the install attempts to download the ZIP file over HTTPS:

error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm

This sounds to me like an incompatibility with whichever version of openssl is on the host server and the message digest algorithm used by wordpress.org.

Change History (4)

#1 @Otto42
10 years ago

That error is caused by the server having an older version of curl (or the curl PHP library) with an outdated version of OpenSSL, which lacks support for certificates using the "sha256WithRSAEncryption" signature algorithm.

The WordPress.org certificate uses sha256WithRSAEncryption.

So, this is probably a wontfix. The user or host needs to update to a modern version of curl and openSSL. The use of SSH-1 is deprecated for certificates, and most CAs have moved on to not issue them anymore. By 2016, there should be almost no certificates using it, so his version of curl/openSSL will stop working by then anyway.

More to the point, even Google is trying to kill off SHA-1. So, it's bound to happen eventually. Everybody gotta upgrade.

http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

Version 3, edited 10 years ago by Otto42 (previous) (next) (diff)

#2 @dd32
10 years ago

This is probably a wontfix, however, it'd be interesting to know where the cutoff is, some hosts run modern PHP with severely outdated cURL installs, and if we can easily say that "support was added in 2005 for sha256WithRSAEncryption" then it's a lot easier to blame the host.

#3 @Otto42
10 years ago

OpenSSL 0.9.8o and 1.0.0a (1 Jun 2010) added the default-to-on support for the SHA2 library of algorithms wrt SSL.

https://www.openssl.org/docs/ssl/SSL_library_init.html

OpenSSL 0.9.8o and 1.0.0a and later added SHA2 algorithms to SSL_library_init(). Applications which need to use SHA2 in earlier versions of OpenSSL should call OpenSSL_add_all_algorithms() as well.

However, it appears that every version of 0.9.8 and up (5 Jul 2005) had optional support for it, if you called the OpenSSL_add_all_algorithms() function:
http://marc.info/?l=openssl-users&m=135355590501495&w=2

Curl appears to have added this particular call to their trunk code in 2009:
http://sourceforge.net/p/curl/bugs/848/

#4 @dd32
7 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

It's been 3 years, nothings changed, I'm going to close this as wontfix.

Note: See TracTickets for help on using tickets.