WordPress and SSL Version

  • Resolved David Hamel

    (@david-hamel)


    8 years, 5 months ago

    Good day all.

    We are currently running a MultiNetwork / Multisite installation. Initially we had only the logon/admin area covered by SSL, but have upgraded that to include all traffic.

    Over the last few months I’ve been tracking down issues with a variety of WordPress operations and plugin issues that all seemed to refer to SSL connection errors.

    Some of the issues we’ve seen included:
    anytime we did a network upgrade after WP upgrade we would see SSL connection errors on sites
    Trying to use RSS feeds, we would get SSL connection errors trying to connect and pull in data
    etc

    We are self hosted and maintain our CA through InCommon. Our security department is pretty diligent and when setting up our SSL environment, required us to only accept tlsv1.2 because of the known vulnerabilities in SSLv1-3 and TLSv1.0 & 1.1.

    Through testing, I’ve found that if I lower the SSL environment to SSL V2 or 3, everything begins to work correctly in WordPress. Additionally if i go to the command line and execute curl -v https://xyz.my.site.com I will get an SSL error, but if I execute curl -v https://xyz.my.site.com -tlsv1.2 connection works fine. Unfortunately, I cannot leave this setting.

    My question; Is there any way to set php/CURL to use tls1.2 automatically in WP??

    Any thoughts would be appreciated.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    We are currently running a MultiNetwork / Multisite installation. Initially we had only the logon/admin area covered by SSL, but have upgraded that to include all traffic.

    That’s good.

    Through testing, I’ve found that if I lower the SSL environment to SSL V2 or 3, everything begins to work correctly in WordPress.

    Can you check using openssl like so for TLS 1.2?

    openssl s_client -tls1_2 -servername xyz.my.site.com -connect xyz.my.site.com :443 < /dev/null

    And without the -tls1_2.

    openssl s_client -servername xyz.my.site.com -connect xyz.my.site.com :443 < /dev/null

    You may need to add your CA root file on the command line using -CAfile AddTrustExternalCARoot.crt for your trusted CA to work.

    When you do the second command if your web server is configured correctly then you should see openssl negotiate to TLS 1.2.

    SSL-Session:
    Protocol  : TLSv1.2

    This is just to confirm that your certs are working and your negotiation is successful for TLS 1.2. Your curl may not be providing an accurate picture of what’s going on.

    If it looks like openssl is working correctly then there may be more things to try with curl.

    Thread Starter David Hamel

    (@david-hamel)

    Thanks for the thoughts.

    We ran through what you suggested and the server is showing the successful connection at TLSv1.2 with the certificate and other information including cert chain, cipher, keys and session ticket info.

    What we did notice is that the certificate was issued with only the wordpress DNS name. We are reissuing it as a SAN cert with both the server FQDN and wordpress DNS names included. I’m not confident that will correct the situation, but we’ll give it a try.

    Any other suggestions or thoughts?

    I truly appreciate your feedback.

    Regards
    Dave

    Thread Starter David Hamel

    (@david-hamel)

    Well, we’ve finally had success, and it wasn’t using the SAN cert.

    We used ssllabs.com to evaluate the system and altered both the cipher suite and protocols. the change allows all versions of TLS with an extended set of suites.

    thanks for the assistance and comments.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘WordPress and SSL Version’ is closed to new replies.