WordPress.org is now forced SSL

In the last week, we transitioned almost all of WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ to load over SSLSSL Secure Socket Layer - Encryption from the server to the browser and back. Prevents prying eyes from seeing what you are sending between your browser and the server..

In the coming weeks, any redirects that are temporary will become permanent, and we’ll be adding HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. Strict Transport Security (HSTS).

api.wordpress.org and downloads.wordpress.org still listen over HTTP as some servers out there do not have OpenSSL and thus cannot communicate with WordPress.org securely. (But if you hit api.wordpress.org with an SSL request, you will always get an SSL downloads URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org.)

If in a script you’re downloading https://wordpress.org/latest.zip or latest.tar.gz, please change this to https. Here are common issues you may run into:

Problems with curl? If you’re using curl without following locations (-L), your script will break. Switch to httpsHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information..
Problems with wget? If you are using an old version of wget (~1.12.1 or older), it will stumble on the SSL certificate. Switch to https. Also, update wget.

If you find any issues, please leave a comment here or open a meta ticket. Issues could include:

Any mixed content warnings.
Something that should be forced SSL but isn’t. Note: The Codex has not been redirected yet but it will be soon. Same goes for the global and mobile forums (*.forums.wordpress.org).
General breakage or weirdness.

This all applies to BuddyPress.org and bbPress.org too.

#ssl

Michael Beil 5:45 pm on September 23, 2014

great to see this transition happening. nice work @nacin and team.
Eric 6:13 pm on September 23, 2014

Awesome. Great work guys.
Subharanjan 6:38 pm on September 23, 2014

Great news !! More secured 🙂
Chris Van Patten 7:35 pm on September 23, 2014

Woot! This is great news!

Just a quick note: you used the https:// URL in your example with the link to latest.zip – I think your example link was meant to be non-https.
Chris Koerner 8:53 pm on September 23, 2014

Good news. Glad to see more sites and communities taking security to heart.
war59312 5:18 pm on September 24, 2014

Excellent, finally! 🙂

Cert “expires in 2 months and 22 days”. lol All 2s, damn I’m lucky some times.

Anyways, really should get a new cert before it expires. 😉
Chris Wiegman 8:07 pm on October 15, 2014

While late to the party on this post this is a change I’m so glad to see.
Ryan Marks 3:18 am on November 3, 2014

I ran the following command from my command line. Here was the response. Is this expected?

user@server.com [~/www]# wget https://wordpress.org/latest.tar.gz
–2014-11-02 21:14:06– https://wordpress.org/latest.tar.gz
Resolving wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/… 66.155.40.249, 66.155.40.250
Connecting to wordpress.org|66.155.40.249|:443… connected.
ERROR: certificate common name `*.wordpress.org’ doesn’t match requested host name `wordpress.org’.
To connect to wordpress.org insecurely, use `–no-check-certificate’.
Unable to establish SSLSSL Secure Socket Layer - Encryption from the server to the browser and back. Prevents prying eyes from seeing what you are sending between your browser and the server. connection.
user@server.com [~/www]#

I was able to add the –no-check-certificate flag to download the file.
- Samuel Wood (Otto) 12:31 pm on November 3, 2014
  
  As it says in the blog post, update your version of wget to 1.13 or later. Versions older than that don’t understand modern SSLSSL Secure Socket Layer - Encryption from the server to the browser and back. Prevents prying eyes from seeing what you are sending between your browser and the server. certificates. Sadly, some linux distros still include these very old wget versions by default. Check to see if a more up-to-date wget package is available.
  
  You can verify that it’s wget’s issue and not wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/’s by trying other httpsHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. urls as well. Try https://www.google.com/, they use an altname in their certificate too, I believe.
Docfxit 5:02 pm on December 31, 2015

What needs to be done to resolve the SSLSSL Secure Socket Layer - Encryption from the server to the browser and back. Prevents prying eyes from seeing what you are sending between your browser and the server. error in Windows?
Download failed. error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
I see lots of people are having the error and I don’t see a solution.
I have installed openssl.exe 1.0.2e in Win7. I have added openssl.exe to the path. WordPress doesn’t seem to use it.

Thanks,
Docfxit
Docfxit 5:32 pm on January 2, 2016

Update:
What needs to be done to resolve the SSLSSL Secure Socket Layer - Encryption from the server to the browser and back. Prevents prying eyes from seeing what you are sending between your browser and the server. error in Windows?
Download failed. error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
I see lots of people are having the error and I don’t see a solution.
I have installed openssl.exe 1.0.2e in Win7. I have added openssl.exe to the path. WordPress Is using openssl.exe 1.0.2e. I have PHPInfo reporting SSL Version OpenSSL/1.0.2e. I am still getting the error when I try to update a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party.

Thanks,
Docfxit

Welcome to the MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. Team!

Contact

WordPress.org is now forced SSL

Welcome to the MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. Team!

Contact

Share this: