Hi Everyone,
We're releasing new versions of almost all our extensions today.
Many of the extensions are getting bug-fixes, but we're updating most of our extensions because we made a mistake.
- What was the mistake? Most of our extensions modified a core file: /libraries/joomla/http/transport/cacert.pem
- Why did we do this? A number of users with SSL certificates encountered problems when they tried to update or install our extensions. This was the workaround we used to help them.
- Did we screw up? Yes, absolutely. We shouldn't have hacked the core file. I apologize to you for this mistake.
- Was this a security problem? No, absolutely not. It was a question of following development best practices.
- Are all our extensions impacted? Almost all. The only extensions not getting updates are SimpleRenew and OSDonate. Those two extensions didn't contain the file modification.
The Technical Explanation
There's a lot that goes on behind the scenes between a server and software in order to verify SSL certificates. One of those things is driven by CAcert (a Certificate Authority) that signs certificates to confirm its autenticity.
When new certificates are issued by issuers, it takes a while for the rest of the internet community to update and acknowledge the new certificate. Mid last year, we updated our SSL certificate to the latest TLS standard (to increase security) and since then we've had trouble communicating with servers (web hosts) that don't have the latest certificates on file.
In Joomla, if the latest certificate (of the server hosting the file) isn't in libraries/joomla/http/transport/cacert.pem and the server (that's downloading the file) doesn't have it either, it triggers an error similar to the following in a browser:
SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
So instead of a user being able to update to the latest version of an extension using Joomla's updater, they get an error. The same thing happens if they try to install an extension via Install from Web or Install from URL.
The above process is totally outside of our control, unfortunately. It's dependent on web hosts communicating with each other and updating their certificates on file, as well Mozilla updating the root file at https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
We tried several different workarounds and the one that our developers settled on was modifying libraries/joomla/http/transport/cacert.pem directly via a system plugin. This was our mistake - we should not have modified that core file. These new extension releases will revert the cacert.pem back to its original state.
Thanks to Phil Taylor for reporting this problem.
Next week, we'll start looking for a better approach to handle this SSL problem.
Update: On May 22, we added an intermediate certificate in the Nginx configuration on our server and that resolved the original issue. Special thanks to Bartosz Kwitniewski for his expert help!