Rushewar takardar shaidar tushen IdenTrust (DST Tushen CA X3), wanda aka yi amfani da shi don ketare-hannun sa hannu kan takardar shaidar Tushen Mu Encrypt CA, ya haifar da matsaloli tare da tabbatar da takaddun shaidar Mu Encrypt a cikin ayyukan ta amfani da tsofaffin nau'ikan OpenSSL da GnuTLS. Matsalolin kuma sun shafi ɗakin karatu na LibreSSL, waɗanda masu haɓakawa ba su yi la'akari da gogewar da ta gabata da ke da alaƙa da gazawar da ta taso bayan Sectigo (Comodo) CA's AddTrust tushen takardar shaidar ya zama wanda ba a daina aiki ba.
Bari mu tuna cewa a cikin sakin OpenSSL har zuwa reshe na 1.0.2 mai haɗawa kuma a cikin GnuTLS kafin sakin 3.6.14, an sami bug ɗin da bai ba da izinin sarrafa takaddun shaida da aka sanya hannu daidai ba idan ɗaya daga cikin takaddun takaddun da aka yi amfani da shi don sa hannu ya zama tsoho. , ko da wasu masu inganci an kiyaye su da sarƙoƙi na amana (a cikin yanayin Bari mu Encrypt, ƙarewar takaddun tushen IdenTrust yana hana tabbatarwa, koda tsarin yana da goyan bayan takaddun tushe na Bari mu Encrypt, yana aiki har zuwa 2030). Mahimmancin kwaro shine tsofaffin nau'ikan OpenSSL da GnuTLS sun rarraba takardar shaidar azaman sarkar layi, yayin da bisa ga RFC 4158, takaddun shaida na iya wakiltar jadawali da aka rarraba da'ira tare da amintattun amintattu da yawa waɗanda ke buƙatar yin la'akari.
A matsayin hanyar aiki don warware gazawar, an ba da shawarar share takardar shaidar "DST Tushen CA X3" daga ajiyar tsarin (/etc/ca-certificates.conf da /etc/ssl/certs), sannan gudanar da umarnin "sabuntawa". -ca-certificates -f -v”). A kan CentOS da RHEL, za ka iya ƙara takardar shaidar "DST Tushen CA X3" zuwa jerin baƙaƙe: amintaccen juji -tace "pkcs11: id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1% 4b%90 %75%ff%c4%15%60%85%89%10" | bude x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem sudo update-ca-trust tsantsa
Wasu daga cikin hadurran da muka gani da suka faru bayan karewa takardar shaidar tushen IdenTrust:
- A cikin OpenBSD, kayan aikin syspatch, wanda aka yi amfani da shi don shigar da sabunta tsarin binary, ya daina aiki. Aikin OpenBSD a yau ya fitar da faci cikin gaggawa don rassan 6.8 da 6.9 waɗanda ke gyara matsaloli a cikin LibreSSL tare da duba takaddun shaida, ɗaya daga cikin tushen takaddun shaida a cikin sarkar amintaccen wanda ya ƙare. A matsayin hanyar magance matsalar, ana ba da shawarar canzawa daga HTTPS zuwa HTTP a /etc/installurl (wannan baya barazanar tsaro, tunda ana kuma tabbatar da sabuntawa ta hanyar sa hannun dijital) ko zaɓi madadin madubi (ftp.usa.openbsd. org, ftp.hostserver.de, cdn.openbsd.org). Hakanan zaka iya cire takaddun tushen tushen DST Tushen CA X3 da ya ƙare daga fayil /etc/ssl/cert.pem.
- A cikin DragonFly BSD, ana lura da irin waɗannan matsalolin yayin aiki tare da DPorts. Lokacin fara manajan fakitin pkg, kuskuren tabbatar da takaddun shaida yana bayyana. An ƙara gyara yau ga maigidan, DragonFly_RELEASE_6_0 da DragonFly_RELEASE_5_8 rassan. A matsayin madaidaicin aiki, zaku iya cire takaddun shaida na DST Tushen CA X3.
- Hanyar duba Takaddun shaida Bari Mu Encrypt a cikin aikace-aikace dangane da dandalin Electron ya karye. An gyara matsalar a cikin sabuntawa 12.2.1, 13.5.1, 14.1.0, 15.1.0.
- Wasu rabe-raben suna da matsalolin samun damar ma'ajiyar fakiti yayin amfani da mai sarrafa fakitin APT mai alaƙa da tsofaffin nau'ikan laburaren GnuTLS. Matsalar Debian 9 ta shafi Debian 28, wanda yayi amfani da kunshin GnuTLS wanda ba a buɗe ba, wanda ya haifar da matsaloli lokacin samun damar deb.debian.org ga masu amfani waɗanda ba su shigar da sabuntawa a cikin lokaci ba (an ba da gyara gnutls3.5.8-5-9+deb6u17 a ranar 3 ga Satumba). A matsayin abin aiki, ana ba da shawarar cire DST_Root_CA_XXNUMX.crt daga fayil /etc/ca-certificates.conf.
- Ayyukan acme-abokin ciniki a cikin kayan rarraba don ƙirƙirar bangon wuta na OPNsense ya rushe; an ba da rahoton matsalar a gaba, amma masu haɓakawa ba su sami nasarar fitar da facin cikin lokaci ba.
- Matsalar ta shafi kunshin OpenSSL 1.0.2k a cikin RHEL/CentOS 7, amma mako daya da suka gabata an samar da sabuntawa ga ca-certificates-7-7.el2021.2.50_72.noarch kunshin don RHEL 7 da CentOS 9, daga wanda IdenTrust an cire takardar shaida, watau. an toshe bayyanar matsalar tun da farko. An buga irin wannan sabuntawa mako guda da suka gabata don Ubuntu 16.04, Ubuntu 14.04, Ubuntu 21.04, Ubuntu 20.04 da Ubuntu 18.04. Tun da an fitar da sabuntawar a gaba, matsalar tare da bincika Takaddun shaida Bari Mu Encrypt kawai ya shafi masu amfani da tsofaffin rassan RHEL/CentOS da Ubuntu waɗanda ba sa sabunta sabuntawa akai-akai.
- Tsarin tabbatar da takaddun shaida a grpc ya karye.
- Gina dandalin Shafukan Cloudflare ya gaza.
- Matsaloli a Sabis na Yanar Gizo na Amazon (AWS).
- Masu amfani da DigitalOcean suna da matsalolin haɗawa da bayanan bayanai.
- Dandalin Netlify girgije ya fadi.
- Matsalolin shiga sabis na Xero.
- Ƙoƙarin kafa haɗin TLS zuwa API ɗin Yanar Gizo na sabis na MailGun ya ci tura.
- Haɗuwa a cikin nau'ikan macOS da iOS (11, 13, 14), waɗanda a zahiri bai kamata matsalar ta shafe su ba.
- Ayyukan Catchpoint sun kasa.
- Kuskuren tabbatar da takaddun shaida lokacin samun damar API na PostMan.
- Guardian Firewall ya yi hatsari.
- Shafin tallafi na monday.com ya karye.
- Dandalin Cerb ya fadi.
- Binciken lokaci bai yi nasara ba a Google Cloud Monitoring.
- Bayar da tabbacin takaddun shaida a cikin Sisiko Umbrella Secure Web Gateway.
- Matsalolin haɗi zuwa Bluecoat da Palo Alto proxies.
- OVHcloud yana fuskantar matsalolin haɗawa da OpenStack API.
- Matsaloli tare da samar da rahotanni a Shopify.
- Akwai matsalolin shiga Heroku API.
- Ledger Live Manager ya fadi.
- Kuskuren tabbatar da takaddun shaida a cikin Kayan aikin Haɓaka App na Facebook.
- Matsaloli a cikin Sophos SG UTM.
- Matsaloli tare da tabbatar da takaddun shaida a cPanel.
source: budenet.ru