UpdraftPlus 1.9.26 is being released today.
The reason for this release is because a very small number of users have not been successful in connecting to Amazon S3, due to SSL certificate validation failures.
We were able to investigate the cause of these failures, and found that:
- Some Amazon S3 servers’ SSL certificates are signed by a 1024-bit key. These keys are now considered weak by cryptographic experts.
- Consequently, Mozilla Firefox (the browser) has begun the processing of dropping support for SSL connections secured by 1024-bit keys (see: https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/#comments). (They are not alone – browser vendors generally are in process of doing this).
- This affected UpdraftPlus, because UpdraftPlus uses Firefox’s set of root SSL certificates in order to validate its SSL connections.
UpdraftPlus 1.9.26 re-adds support for these Amazon S3 SSL certificates (via re-adding the root certificates which Firefox have dropped). If you had this problem, then you can visit the “Updates” page in your WordPress dashboard, and update to UpdraftPlus 1.9.26.
Ideally, if you had this problem, you should contact Amazon S3 and ask them to update their servers. 1024-bits is not considered sufficient for security on the 2014 Internet. But, since for the affected users the choice was this or no encryption at all, for now, we’ll have to wait longer until these certificates can be dropped.
David Anderson (lead developer, founder, UpdraftPlus).