Air Disathairne, 30 Cèitean, 2020, dh ’èirich duilgheadas nach robh soilleir sa bhad le teisteanasan SSL / TLS mòr-chòrdte bhon neach-reic Sectigo (Comodo roimhe). Bha na teisteanasan fhèin fhathast ann an deagh òrdugh, ge-tà, chaidh aon de na teisteanasan CA eadar-mheadhanach anns na slabhraidhean leis an deach na teisteanasan sin a thoirt seachad grodadh. Chan eil an suidheachadh ri ràdh marbhtach, ach mì-thlachdmhor: cha do mhothaich na dreachan gnàthach de bhrobhsairean dad, ge-tà, cha robh a’ mhòr-chuid de na h-innealan fèin-ghluasadach agus seann bhrobhsairean / OS deiseil airson a leithid de thionndadh.
Cha robh Habr mar eisgeachd, agus is e sin as coireach gun deach am prògram foghlaim / postmortem seo a sgrìobhadh.
TL; DR Fuasgladh aig an deireadh.
Leig leinn an teòiridh bunaiteach mu PKI, SSL / TLS, https agus barrachd a sheachnadh. Is e meacanaig dearbhaidh le teisteanas tèarainteachd fearainn sreath de theisteanasan a thogail do aon den fheadhainn anns a bheil earbsa anns a’ bhrobhsair no an siostam obrachaidh, a tha air an stòradh anns an Stòr Urras ris an canar. Tha an liosta seo air a chuairteachadh leis an t-siostam obrachaidh, eag-shiostam runtime còd, no brobhsair. Tha ceann-latha crìochnachaidh aig teisteanasan sam bith agus às deidh sin thathas den bheachd gu bheil iad neo-earbsach, a’ toirt a-steach teisteanasan ann an stòr an urrais. Cò ris a bha an t-sreath earbsa coltach ron latha uamhasach? Cuidichidh goireas lìn sinn le bhith ga thuigsinn bho Qualys.
Mar sin, is e aon de na teisteanasan “malairteach” as mòr-chòrdte Sectigo Positive SSL (Comodo Positive SSL roimhe seo, tha teisteanasan leis an ainm seo fhathast gan cleachdadh), is e seo an teisteanas DV ris an canar. Is e DV an ìre teisteanais as prìomhadaiche, a’ ciallachadh dearbhadh ruigsinneachd air riaghladh fearainn le neach-lìbhrigidh an teisteanais sin. Gu fìrinneach, tha DV a’ seasamh airson “dearbhadh fearainn”. Airson fiosrachadh: tha OV ann cuideachd (dearbhadh eagrachaidh) agus EV (dearbhadh leudaichte), agus tha teisteanas an-asgaidh bho Let's Encrypt cuideachd DV. Dhaibhsan nach eil airson adhbhar air choireigin riaraichte leis an uidheamachd ACME, is e toradh Positive SSL an fheadhainn as freagarraiche a thaobh prìs / feartan (tha teisteanas aon-àrainn a’ cosg timcheall air 5-7 dolar sa bhliadhna le ùine dligheachd teisteanais iomlan suas). gu 2 bhliadhna agus 3 mìosan).
Thàinig an Teisteanas Coitcheann Sectigo DV (RSA) gu o chionn ghoirid leis an t-sreath seo de CAan eadar-mheadhanach:
Certificate #1:
Data:
Version: 3 (0x2)
Serial Number:
7d:5b:51:26:b4:76:ba:11:db:74:16:0b:bc:53:0d:a7
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Validity
Not Before: Nov 2 00:00:00 2018 GMT
Not After : Dec 31 23:59:59 2030 GMT
Subject: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Certificate #2:
Data:
Version: 3 (0x2)
Serial Number:
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Validity
Not Before: May 30 10:48:38 2000 GMT
Not After : May 30 10:48:38 2020 GMT
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification AuthorityChan eil “treas teisteanas”, fèin-soidhnichte bho AddTrust AB, oir aig àm air choreigin bha e air a mheas mar dhroch mhodhan a bhith a’ toirt a-steach teisteanasan freumh fèin-soidhnichte ann an slabhraidhean. Thoir an aire gu bheil ceann-latha crìochnachaidh 30 Cèitean, 2020 aig an CA eadar-mheadhanach a chuir UserTrust a-mach le AddTrust. Chan eil seo furasta, oir chaidh modh dì-choimiseanaidh a dhealbhadh airson an CA seo. Bhathar a’ creidsinn, ro 30 Cèitean, 2020, gum biodh teisteanas tar-shoidhnichte bho UserTrust a’ nochdadh anns a h-uile stòr urrais ron àm seo (fon chochall, is e seo an aon teisteanas, no an àite iuchair phoblach) agus an t-seine, eadhon leis an t-seine. teisteanas neo-earbsach mar-thà air a thoirt a-steach, bidh slighean eile a’ togail agus cha mhothaich duine. Ach, thàinig na planaichean gu buil, is e sin an teirm fhada “dìleab siostaman”. Gu dearbh, cha do mhothaich sealbhadairean dreachan gnàthach de bhrobhsairean dad, ge-tà, bhris a ’bheinn fèin-ghluasaid a chaidh a thogail air leabharlannan curl agus ssl / tls de ghrunn chànanan prògramaidh agus àrainneachdan cur an gnìomh còd. Bu chòir a thuigsinn nach eil mòran thoraidhean air an stiùireadh leis na h-innealan togail slabhraidh a tha air an togail a-steach don OS, ach “giùlain” an stòr earbsa còmhla riutha. Agus chan eil iad an-còmhnaidh a 'toirt a-steach na tha iad airson fhaicinn. . Agus ann an Linux, chan eil pacaidean mar teisteanasan ca-còmhnaidh air an ùrachadh. Aig a 'cheann thall, tha coltas gu bheil a h-uile dad ann an òrdugh, ach chan eil rudeigin ag obair an seo agus an sin.
Bho Figear 1, tha e soilleir, ged a bha a h-uile dad a ’coimhead mar as àbhaist airson a’ mhòr-chuid, gun do bhris rudeigin airson cuideigin agus chaidh an trafaic sìos gu follaiseach (clì loidhne dhearg), dh’ fhàs e nuair a chaidh aon de na prìomh theisteanasan a chuir na àite (loidhne cheart). Bha spreadhaidhean sa mheadhan, nuair a chaidh teisteanasan eile atharrachadh, air an robh rudeigin an urra cuideachd. Leis gu bheil a’ mhòr-chuid a’ leantainn air adhart ag obair gu cunbhalach (ach a-mhàin glitches neònach leithid cho neo-chomasach dealbhan a luchdachadh air Habrastorage), is urrainn dhuinn co-dhùnadh neo-dhìreach a dhèanamh mun àireamh de luchd-dèiligidh dìleab agus botaichean air Habré.
Figear 1. Graf de "trafaic" air Habré.
Tha Figear 2 a’ sealltainn mar a tha sèine “eile” air a thogail ann an dreachan gnàthach de bhrobhsairean gu teisteanas CA earbsach ann am brabhsair an neach-cleachdaidh, eadhon ged a tha teisteanas “lobhte” san t-seine. Is e seo, mar a bha Sectigo fhèin a’ creidsinn, an dearbh adhbhar gun dad a dhèanamh.
Figear 2. Slabhraidh gu teisteanas earbsach airson dreach brabhsair ùr-nodha.
Ach ann am Figear 3, chì thu mar a tha a h-uile dad a’ coimhead dha-rìribh nuair a chaidh rudeigin ceàrr agus tha siostam dìleab againn. Anns a 'chùis seo, chan eil an ceangal HTTPS air a stèidheachadh agus chì sinn mearachd mar "dh'fhàillig dearbhadh teisteanais" no a leithid.
Figear 3. Chaidh an t-seine a dhì-dhligheachadh leis gu robh an teisteanas bunaiteach agus an eadar-mheadhanach air a shoidhnigeadh leis "lobhadh".
Ann am Figear 4, tha sinn mu thràth a’ faicinn “fuasgladh” airson siostaman dìleab: tha teisteanas eadar-mheadhanach eile ann, no an àite “tar-ainm-sgrìobhte” bho CA eile, a tha mar as trice air a chuir a-steach ro-làimh ann an siostaman dìleab. Seo na dh'fheumas tu a dhèanamh: lorg an teisteanas seo (a tha air a chomharrachadh mar luchdachadh sìos a bharrachd) agus cuir an tè "lobhte" na àite.
Figear 4. Slabhraidh eile airson siostaman dìleab.
Co-dhiù: cha robh mòran follaiseachd aig an duilgheadas agus seòrsa de dheasbad poblach, a ’toirt a-steach mar thoradh air cus arrogance Sectigo. Mar eisimpleir, seo beachd aon de na solaraichean teisteanais ann an don t-suidheachadh seo:
Roimhe sin iad [Sectigo] thug e cinnteach don h-uile duine nach bi cùisean sam bith ann. Ach, is e an fhìrinn gu bheil buaidh aig cuid de luchd-frithealaidh / innealan dìleab.
Is e suidheachadh gòrach a tha sin. Thog sinn an aire gu AddTrust RSA/ECC a bha a’ tighinn gu crìch iomadh uair taobh a-staigh bliadhna agus gach uair a thug Sectigo cinnteach dhuinn nach biodh cùisean sam bith ann.
Dh'fhaighnich mi gu pearsanta air Stack Overflow mu dheidhinn seo o chionn mìos, ach a rèir choltais, chan eil luchd-èisteachd a’ phròiseict gu math freagarrach airson a leithid de cheistean, agus mar sin bha agam ri mi fhìn a fhreagairt às deidh an anailis.
Sectigo Tha Ceistean Cumanta air a’ chuspair seo, ach tha e cho do-leughaidh agus cho fada is gu bheil e do-dhèanta a chleachdadh. Seo cuòt a tha mar fhìor bhunait an fhoillseachaidh gu lèir:
Na dh'fheumas tu a dhèanamh
Airson a’ mhòr-chuid de chùisean cleachdaidh, a’ toirt a-steach teisteanasan a’ frithealadh siostaman teachdaiche no frithealaiche an latha an-diugh, chan eil feum air gnìomh sam bith, ge bith an do chuir thu a-mach teisteanasan tar-shlabhraidh gu freumh AddTrust no nach eil.Mar 30 Giblean, 2020: Airson pròiseasan gnìomhachais a tha an urra ri seann shiostaman, tha Sectigo air freumh dìleab ùr a thoirt seachad (gu bunaiteach anns na pasganan teisteanais) airson tar-shoidhnigeadh, freumh “Seirbheis Teisteanas AAA”. Ach, feuch gum bi thu air leth faiceallach mu phròiseas sam bith a tha an urra ri seann shiostaman dìleab. Tha e do-sheachanta gum bi siostaman nach d’ fhuair na h-ùrachaidhean a tha riatanach gus taic a thoirt do freumhan nas ùire leithid freumh COMODO Sectigo ag ionndrainn ùrachaidhean tèarainteachd riatanach eile agus bu chòir beachdachadh orra mì-chinnteach. Ma tha thu fhathast airson tar-shoidhnigeadh gu freumh Seirbheisean Teisteanas AAA, cuir fios gu Sectigo gu dìreach.
Is fìor thoil leam an tràchdas “glè shean”, gu dearbh. Mar eisimpleir, curl ann an consol Ubuntu Linux 18.04 LTS (an OS bunaiteach againn an-dràsta) leis na h-ùrachaidhean as ùire gun a bhith nas sine na mìos, tha e duilich a bhith a’ gairm gu math sean, ach chan obraich e.
Sgaoil a’ mhòr-chuid de luchd-sgaoilidh theisteanasan na notaichean co-dhùnaidh aca anmoch feasgar 30 Cèitean. Mar eisimpleir, gu math freagarrach ann an teirmean teicnigeach bho (le tuairisgeul sònraichte air dè a nì thu agus le pasganan CA deiseil ann an tasglannan zip, ach dìreach RSA):
Figear 5. Seachd ceumannan gus rudan a rèiteachadh gu sgiobalta.
tha bho Redhat, ach tha barrachd is barrachd Dìleab ann agus feumaidh tu teisteanas dìleab freumh eadhon nas motha a chuir a-steach bho Comodo airson a h-uile càil a bhith ag obair.
co-dhùnadh
Is fhiach am fuasgladh a dhùblachadh an seo cuideachd. Gu h-ìosal tha dà sheata de shlabhraidhean airson teisteanasan DV Sectigo (chan e Comodo!), Aon airson na teisteanasan RSA eòlach, am fear eile airson teisteanasan ECC (ECDSA) nach eil cho eòlach (tha sinn air a bhith a’ cleachdadh dà shlabhraidh airson ùine mhòr). Le ECC, bha e na bu duilghe, leis nach eil a ’mhòr-chuid de fhuasglaidhean a’ toirt aire do làthaireachd theisteanasan mar sin air sgàth cho tric ‘s a tha iad. Mar thoradh air an sin, chaidh an teisteanas eadar-mheadhanach a bha a dhìth a lorg air .
Slabhraidh airson teisteanasan stèidhichte air prìomh algairim RSA. Dèan coimeas ris an t-sreath agad agus thoir an aire nach deach ach an teisteanas as ìsle a chuir na àite, fhad ‘s a tha am fear gu h-àrd air fuireach mar a bha e. Bidh mi gan comharrachadh aig an taigh leis na trì caractaran mu dheireadh de bhlocaichean base64, gun a bhith a’ cunntadh an caractar “co-ionann” (sa chùis seo En8= и 1+V):
# Subject: /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
# Algo: RSA, key size: 2048
# Issuer: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
# Not valid before: 2018-11-02T00:00:00Z
# Not valid after: 2030-12-31T23:59:59Z
# SHA-1 Fingerprint: 33:E4:E8:08:07:20:4C:2B:61:82:A3:A1:4B:59:1A:CD:25:B5:F0:DB
# SHA-256 Fingerprint: 7F:A4:FF:68:EC:04:A9:9D:75:28:D5:08:5F:94:90:7F:4D:1D:D1:C5:38:1B:AC:DC:83:2E:D5:C9:60:21:46:76
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
# Subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
# Algo: RSA, key size: 4096
# Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
# Not valid before: 2019-03-12T00:00:00Z
# Not valid after: 2028-12-31T23:59:59Z
# SHA-1 Fingerprint: D8:9E:3B:D4:3D:5D:90:9B:47:A1:89:77:AA:9D:5C:E3:6C:EE:18:4C
# SHA-256 Fingerprint: 68:B9:C7:61:21:9A:5B:1F:01:31:78:44:74:66:5D:B6:1B:BD:B1:09:E0:0F:05:CA:9F:74:24:4E:E5:F5:F5:2B
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
vGp4z7h/jnZymQyd/teRCBaho1+V
-----END CERTIFICATE-----Slabhraidh airson teisteanasan stèidhichte air prìomh algairim ECC. San aon dòigh leis an t-seine airson RSA, cha deach ach an teisteanas as ìsle a chuir na àite, fhad ‘s a dh’ fhuirich am fear gu h-àrd mar a bha e (sa chùis seo fmA== и v/c=):
# Subject: /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo ECC Domain Validation Secure Server CA
# Algo: EC secp256r1, key size: 256
# Issuer: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority
# Not valid before: 2018-11-02T00:00:00Z
# Not valid after: 2030-12-31T23:59:59Z
# SHA-1 Fingerprint: E8:49:90:CB:9B:F8:E3:AB:0B:CA:E8:A6:49:CB:30:FE:4D:C4:D7:67
# SHA-256 Fingerprint: 61:E9:73:75:E9:F6:DA:98:2F:F5:C1:9E:2F:94:E6:6C:4E:35:B6:83:7C:E3:B9:14:D2:24:5C:7F:5F:65:82:5F
-----BEGIN CERTIFICATE-----
MIIDqDCCAy6gAwIBAgIRAPNkTmtuAFAjfglGvXvh9R0wCgYIKoZIzj0EAwMwgYgx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJz
ZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQD
EyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE4MTEw
MjAwMDAwMFoXDTMwMTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAkdCMRswGQYDVQQI
ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoT
D1NlY3RpZ28gTGltaXRlZDE3MDUGA1UEAxMuU2VjdGlnbyBFQ0MgRG9tYWluIFZh
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABHkYk8qfbZ5sVwAjBTcLXw9YWsTef1Wj6R7W2SUKiKAgSh16TwUwimNJE4xk
IQeV/To14UrOkPAY9z2vaKb71EijggFuMIIBajAfBgNVHSMEGDAWgBQ64QmG1M8Z
wpZ2dEl23OA1xmNjmjAdBgNVHQ4EFgQU9oUKOxGG4QR9DqoLLNLuzGR7e64wDgYD
VR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMBsGA1UdIAQUMBIwBgYEVR0gADAIBgZngQwBAgEwUAYD
VR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVz
dEVDQ0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYGCCsGAQUFBwEBBGowaDA/
BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdEVD
Q0FkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1
c3QuY29tMAoGCCqGSM49BAMDA2gAMGUCMEvnx3FcsVwJbZpCYF9z6fDWJtS1UVRs
cS0chWBNKPFNpvDKdrdKRe+oAkr2jU+ubgIxAODheSr2XhcA7oz9HmedGdMhlrd9
4ToKFbZl+/OnFFzqnvOhcjHvClECEQcKmc8fmA==
-----END CERTIFICATE-----
# Subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority
# Algo: EC secp384r1, key size: 384
# Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
# Not valid before: 2019-03-12T00:00:00Z
# Not valid after: 2028-12-31T23:59:59Z
# SHA-1 Fingerprint: CA:77:88:C3:2D:A1:E4:B7:86:3A:4F:B5:7D:00:B5:5D:DA:CB:C7:F9
# SHA-256 Fingerprint: A6:CF:64:DB:B4:C8:D5:FD:19:CE:48:89:60:68:DB:03:B5:33:A8:D1:33:6C:62:56:A8:7D:00:CB:B3:DE:F3:EA
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIQVmcdBOpPmUxvEIFHWdJ1lDANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEGqxUWqn5aCPnetUkb1PGWthL
q8bVttHmc3Gu3ZzWDGH926CJA7gFFOxXzu5dP+Ihs8731Ip54KODfi2X0GHE8Znc
JZFjq38wo7Rw4sehM5zzvy5cU7Ffs30yf4o043l5o4HyMIHvMB8GA1UdIwQYMBaA
FKARCiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1
xmNjmjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAI
MAYGBFUdIAAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5j
b20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEEKDAmMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEM
BQADggEBABns652JLCALBIAdGN5CmXKZFjK9Dpx1WywV4ilAbe7/ctvbq5AfjJXy
ij0IckKJUAfiORVsAYfZFhr1wHUrxeZWEQff2Ji8fJ8ZOd+LygBkc7xGEJuTI42+
FsMuCIKchjN0djsoTI0DQoWz4rIjQtUfenVqGtF8qmchxDM6OW1TyaLtYiKou+JV
bJlsQ2uRl9EMC5MCHdK8aXdJ5htN978UeAOwproLtOGFfy/cQjutdAFI3tZs4RmY
CV4Ks2dH/hzg1cEo70qLRDEmBDeNiXQ2Lu+lIg+DdEmSx/cQwgwp+7e9un/jX9Wf
8qn0dNW44bOwgeThpWOjzOoEeJBuv/c=
-----END CERTIFICATE-----Sin e gu ìre mhòr. Tapadh leibh airson an aire agad.
Source: www.habr.com