[wp-trac] [WordPress Trac] #64063: Remove bundled 1024-bit certificates from bundled root certificates
WordPress Trac
noreply at wordpress.org
Fri Oct 17 18:28:18 UTC 2025
#64063: Remove bundled 1024-bit certificates from bundled root certificates
----------------------------+---------------------
Reporter: kkmuffme | Owner: (none)
Type: task (blessed) | Status: new
Priority: normal | Milestone: 7.0
Component: Security | Version:
Severity: major | Resolution:
Keywords: early | Focuses:
----------------------------+---------------------
Changes (by johnbillion):
* keywords: => early
* type: defect (bug) => task (blessed)
* component: HTTP API => Security
* milestone: Awaiting Review => 7.0
Comment:
The fundamental problem is that the modern cacert bundle (without those
1024-bit root certs prepended) is not compatible with some ancient
versions of OpenSSL. Reading through #34935 and linked tickets I believe
this affects 1.0.1e to 1.0.1q due to path discovery bugs. This breaks the
TLS connection regardless of whether any cert in the chain is signed with
a 1024-bit cert.
This seems to primarily affect CentOS 7 which shipped with OpenSSL 1.0.1e.
It can connect to modern services that retain support for ECDHE-GCM
ciphers over TLS 1.2 and therefore is not yet functionally obsolete. I've
no idea whether CentOS 7 users keep OpenSSL updated to a more modern
version, perhaps something to chat with
[https://make.wordpress.org/hosting/ the hosting team] about. Anyone still
running an unpatched 1.0.1e would have a hard time using a recent cacert
bundle anyway.
CentOS 7 is EOL since last year. My vote goes to pulling these out early
in the 7.0 cycle.
Related (for 6.9): #63165
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64063#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list