@nicksavov drats I was about to update the current distributed version but I see you beat me to it 20113ad

@PhilETaylor I'm going to add the Request for Comment label here. Let me know if i should remove it. Thanks

@zero-24 Yup thats fine, I wanted to open it up to see what others thought

As I commented on the referenced thread too, sorry Phil, but I absolutely disagree that removing root ca certificate bundle is the best solution. This is against the whole PKI security concept, and we are breaking the working parts to avoid errors. For the sake of security that would be a big step backwards.

By suggesting downloading/consuming cacert.pem file from an external source (without any assurance you will actually get it from a valid original website), you are getting customers in a high-risk situations. Even more using the plain HTTP links. Hint: Man-In-The-Middle attacks!!

The whole purpose of a root ca certificate bundles being distributed with browsers, OSes, cURL, Joomla, "other security-aware software", is to provide users with a locally available trustworthy start-point for further trust-level validation. If you have to grab it from external source you're in an untrustworthy environment and MITM attack is possible.

Points that are correct here are:

• Joomla uses old root ca cert bundle, and it will be outdated now and then. The same happens with browsers, but they don't tend to discard the right approach distributing root ca certs with browsers. Best approach would be:
  • updating the bundle file regularly, it's available on github, all of us interested can track the changes and send pull requests when needed https://github.com/bagder/ca-bundle/
  • enabling users to choose/upload custom root ca cert bundle for using with J! framework
• users should be educated to push host to upgrade their server packages, source of most problems start there

  ---

  _{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/6879.}