A ranar 30 ga Mayu, lokacin ingancin shekaru 20 na tushen takardar shaidar ya ƙare , wanda don samar da sa hannu a cikin takaddun shaida na ɗaya daga cikin manyan hukumomin takaddun shaida Sectigo (Comodo). An ba da izinin yin rajista don dacewa tare da na'urori na gado waɗanda ba su da sabuwar takardar shaidar USERTRust da aka ƙara zuwa tushen shagon shaidarsu.
A ka'ida, ƙarewar takardar shaidar tushen AddTrust ya kamata kawai ta haifar da keta daidaituwa tare da tsarin gado (Android 2.3, Windows XP, Mac OS X 10.11, iOS 9, da sauransu), tunda tushen takardar shaidar ta biyu da aka yi amfani da ita a cikin sa hannu ta giciye ta rage. masu bincike masu inganci da na zamani suna la'akari da shi lokacin bincika sarkar amana. Akan aiki Matsaloli tare da tabbatar da sa hannun giciye a cikin abokan cinikin TLS waɗanda ba masu lilo ba, gami da waɗanda suka dogara akan OpenSSL 1.0.x da GnuTLS. An daina kafa amintaccen haɗi tare da kuskuren da ke nuni da cewa takardar shedar ta ƙare idan uwar garken tana amfani da takardar shedar Sectigo da ke haɗe ta hanyar sarkar amana zuwa takaddun tushen AddTrust.
Idan masu amfani da burauzar zamani ba su lura da tsufar takardar shaidar tushen AddTrust ba lokacin sarrafa takaddun Sectigo masu rattaba hannu kan giciye, to matsaloli sun fara tashi a cikin aikace-aikacen ɓangare na uku daban-daban da masu sarrafa uwar garken, wanda ya haifar da hakan. yawancin abubuwan more rayuwa waɗanda ke amfani da rufaffen tashoshi na sadarwa don hulɗa tsakanin abubuwan haɗin gwiwa.
Misali, akwai tare da samun damar zuwa wasu wuraren ajiyar fakiti a cikin Debian da Ubuntu (apt ya fara haifar da kuskuren tabbatar da takaddun shaida), buƙatun daga rubutun ta amfani da abubuwan amfani na "curl" da "wget" sun fara kasawa, an lura da kurakurai yayin amfani da Git, Roku streaming dandamali yana aiki, ba a ƙara kiran masu sarrafa и , fara a cikin Heroku apps, Abokan ciniki na OpenLDAP suna haɗawa, ana gano matsaloli tare da aika wasiku zuwa SMTPS da sabar SMTP tare da STARTTLS. Bugu da ƙari, ana ganin matsaloli a cikin rubutun Ruby, PHP da Python daban-daban waɗanda ke amfani da module tare da abokin ciniki na http. Matsalar Browser Epiphany, wanda ya daina loda lissafin toshe talla.
Wannan matsala ba ta shafar shirye-shiryen Go saboda Go yana bayarwa TLS.
cewa matsalar tana shafar tsoffin sakin rarrabawa (ciki har da Debian 9, Ubuntu 16.04, ) waɗanda ke amfani da rassan OpenSSL masu matsala, amma matsalar Hakanan lokacin da manajan fakitin APT ke gudana a cikin sakin Debian 10 da Ubuntu 18.04/20.04 na yanzu, tunda APT tana amfani da ɗakin karatu na GnuTLS. Matsalolin matsalar ita ce yawancin ɗakunan karatu na TLS/SSL suna tantance takaddun shaida azaman sarkar layi, yayin da bisa ga RFC 4158, takaddun shaida na iya wakiltar madauwari mai da'ira da aka rarraba tare da amintattun amintattu da yawa waɗanda ke buƙatar yin la'akari. Game da wannan aibi a cikin OpenSSL da GnuTLS . A cikin OpenSSL an gyara matsalar a reshe 1.1.1, da kuma cikin ragowar .
A matsayin madaidaicin aiki, ana ba da shawarar cire takardar shaidar "AddTrust External CA Tushen" daga shagon tsarin (misali, cire daga /etc/ca-certificates.conf da /etc/ssl/certs, sannan a gudanar da “update-ca). -certificates -f -v"), bayan haka OpenSSL ta fara aiwatar da takaddun takaddun sa hannu tare da sa hannu. Lokacin amfani da mai sarrafa fakitin APT, zaku iya musaki tabbacin takaddun shaida don buƙatun mutum ɗaya a cikin haɗarin ku (misali, “sabuntawa mai dacewa -o Samun :: https :: download.jitsi.org :: Tabbatar-Peer = ƙarya”) .
Don toshe matsalar a ciki и An ba da shawarar ƙara takardar shaidar AddTrust zuwa jerin baƙaƙe:
trust dump —filter «pkcs11:id=%AD%BD%98%7A%34%B4%26%F7%FA%C4%26%54%EF%03%BD%E0%24%CB%54%1A;type=cert» \
> /etc/pki/ca-trust/source/blacklist/adtrust-external-root.p11-kit
sabunta-ca-trust tsantsa
Amma wannan hanyar don GnuTLS (misali, kuskuren tabbatar da takaddun shaida yana ci gaba da bayyana yayin gudanar da aikin wget).
A gefen uwar garken zaka iya jera takaddun shaida a cikin sarkar amana da uwar garken ta aika ga abokin ciniki (idan an cire takardar shaidar da ke da alaƙa da "AddTrust External CA Tushen" daga jerin, to, tabbatar da abokin ciniki zai yi nasara). Don bincika da samar da sabuwar sarkar amana, zaku iya amfani da sabis ɗin . Sectigo kuma madadin takardar shaidar tsaka-tsaki mai rattaba hannu "", wanda zai kasance mai aiki har zuwa 2028 kuma zai ci gaba da dacewa da tsofaffin nau'ikan OS.
Bugu da kari: Matsala kuma a cikin LibreSSL.
source: budenet.ru