[wp-trac] [WordPress Trac] #64063: Remove bundled 1024-bit certificates from bundled root certificates
WordPress Trac
noreply at wordpress.org
Wed Oct 1 18:38:17 UTC 2025
#64063: Remove bundled 1024-bit certificates from bundled root certificates
--------------------------+-----------------------------
Reporter: kkmuffme | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: HTTP API | Version:
Severity: major | Keywords:
Focuses: |
--------------------------+-----------------------------
Because of https://core.trac.wordpress.org/ticket/34935#comment:10 from 10
years ago the bundled .crt still contains 1024-bit certificates, which are
only needed for OpenSSL <1.0.1g
There was a recent update to the bundled root certificate
https://core.trac.wordpress.org/changeset/60029 keeping those.
1024-bit certificates are considered insecure and not accepted by browsers
for a decade now, however they are about to get (instead of just
considered) insecure, with first research available indicating that
1024-bit RSA has been cracked in recent months.
Not only is this a security issue, but this can lead to massive direct
(e.g. WooCommerce payment gateways) and indirect - like user
data/GDPR/privacy e.g. when using email gateways used by most WP sites -
financial consequences for sites running on WordPress.
Can these legacy certificates be removed from WP's certificate?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64063>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list