Opened 10 years ago
Closed 7 years ago
#632 closed defect (bug) (wontfix)
Unknown message digest algorithm
Reported by: | johnbillion | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | SSL | Keywords: | |
Cc: |
Description
Reported on #WP29816. The following error is preventing a user from updating to 4.0 when the install attempts to download the ZIP file over HTTPS:
error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm
This sounds to me like an incompatibility with whichever version of openssl is on the host server and the message digest algorithm used by wordpress.org.
Change History (4)
#2
@
10 years ago
This is probably a wontfix, however, it'd be interesting to know where the cutoff is, some hosts run modern PHP with severely outdated cURL installs, and if we can easily say that "support was added in 2005 for sha256WithRSAEncryption" then it's a lot easier to blame the host.
#3
@
10 years ago
OpenSSL 0.9.8o and 1.0.0a (1 Jun 2010) added the default-to-on support for the SHA2 library of algorithms wrt SSL.
https://www.openssl.org/docs/ssl/SSL_library_init.html
OpenSSL 0.9.8o and 1.0.0a and later added SHA2 algorithms to SSL_library_init(). Applications which need to use SHA2 in earlier versions of OpenSSL should call OpenSSL_add_all_algorithms() as well.
However, it appears that every version of 0.9.8 and up (5 Jul 2005) had optional support for it, if you called the OpenSSL_add_all_algorithms() function:
http://marc.info/?l=openssl-users&m=135355590501495&w=2
Curl appears to have added this particular call to their trunk code in 2009:
http://sourceforge.net/p/curl/bugs/848/
That error is caused by the server having an older version of curl (or the curl PHP library) with an outdated version of OpenSSL, which lacks support for certificates using the "sha256WithRSAEncryption" signature algorithm.
The WordPress.org certificate uses sha256WithRSAEncryption.
So, this is probably a wontfix. The user or host needs to update to a modern version of curl and openSSL. The use of SSH-1 is deprecated for certificates, and most CAs have moved on to not issue them anymore. By 2016, there should be almost no certificates using it, so his version of curl/openSSL will stop working by then anyway.
More to the point, even Google is trying to kill off SHA-1. So, it's bound to happen eventually. Everybody gotta upgrade.
http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html