ʻO ka hoʻopau ʻana i ka palapala kumu IdenTrust (DST Root CA X3), i hoʻohana ʻia e kau inoa i ka palapala kumu Let's Encrypt CA, ua hoʻopilikia i ka hōʻoia palapala Let's Encrypt i nā papahana e hoʻohana ana i nā mana kahiko o OpenSSL a me GnuTLS. Ua pili pū nā pilikia i ka waihona LibreSSL, ʻaʻole i noʻonoʻo nā mea hoʻomohala i ka ʻike i hala e pili ana i nā hemahema i kū mai ma hope o ka lilo ʻana o ka palapala kumu kumu AddTrust Sectigo (Comodo) CA.
E hoʻomanaʻo kākou i ka wehe ʻana o OpenSSL a hiki i ka lālā 1.0.2 inclusive a ma GnuTLS ma mua o ka hoʻokuʻu ʻana i ka 3.6.14, aia kahi pahu i ʻae ʻole i ka hana pololei ʻana i nā palapala hōʻailona cross-signed inā lilo kekahi o nā palapala kumu i hoʻohana ʻia no ke kau inoa ʻana. , ʻoiai inā mālama ʻia nā mea pono ʻē aʻe i mau kaulahao hilinaʻi (i ka hihia o Let's Encrypt, ʻo ka obsolescence o ka palapala kumu IdenTrust e pale ai i ka hōʻoia ʻana, ʻoiai inā he kākoʻo ka ʻōnaehana no ka palapala kumu a Let's Encrypt, kūpono a hiki i 2030). ʻO ka mea nui o ka bug, ʻo nā mana kahiko o OpenSSL a me GnuTLS i hoʻokaʻawale i ka palapala hōʻoia ma ke ʻano he kaulahao laina, ʻoiai e like me ka RFC 4158, hiki i kahi palapala hōʻoia ke hōʻike i kahi pakuhi pōʻai i kuhikuhi ʻia me nā heleuma hilinaʻi he nui e pono e mālama ʻia.
Ma keʻano he hana e hoʻoholo ai i ka hemahema, ua manaʻo ʻia e holoi i ka palapala hōʻoia "DST Root CA X3" mai ka waihona pūnaewele (/etc/ca-certificates.conf a me /etc/ssl/certs), a laila holo i ke kauoha "update". -ca-certificates -f -v” "). Ma CentOS a me RHEL, hiki iā ʻoe ke hoʻohui i ka palapala "DST Root CA X3" i ka papa inoa ʻeleʻele: trust dump —filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1% 4b%90 %75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem sudo update-ca-trust extract
ʻO kekahi o nā pōʻino a mākou i ʻike ai ma hope o ka pau ʻana o ka palapala kumu IdenTrust:
- Ma OpenBSD, ua ho'ōki ka hana syspatch, i hoʻohana ʻia e hoʻokomo i nā ʻōnaehana binary. ʻO ka papahana OpenBSD i kēia lā ua hoʻokuʻu koke ʻia nā ʻāpana no nā lālā 6.8 a me 6.9 e hoʻoponopono i nā pilikia ma LibreSSL me ka nānā ʻana i nā palapala hōʻailona cross-signed, kekahi o nā palapala kumu i loko o ke kaulahao hilinaʻi i pau. Ma ke ʻano he hoʻoponopono no ka pilikia, ʻōlelo ʻia e hoʻololi mai HTTPS a i HTTP ma /etc/installurl (ʻaʻole hoʻoweliweli kēia i ka palekana, no ka mea, ua hōʻoia hou ʻia nā mea hou e ka pūlima kikohoʻe) a i ʻole e koho i kahi aniani ʻē aʻe (ftp.usa.openbsd. org, ftp.hostserver.de, cdn.openbsd.org). Hiki iā ʻoe ke wehe i ka palapala aʻa DST Root CA X3 mai ka waihona /etc/ssl/cert.pem.
- Ma DragonFly BSD, ʻike ʻia nā pilikia like i ka wā e hana pū ai me DPorts. Ke hoʻomaka nei ka luna pkg package, ʻike ʻia kahi hewa hōʻoia hōʻoia. Hoʻohui ʻia ka hoʻoponopono i kēia lā i ka haku, DragonFly_RELEASE_6_0 a me DragonFly_RELEASE_5_8 lālā. Ma ke ʻano he hana, hiki iā ʻoe ke wehe i ka palapala hōʻoia DST Root CA X3.
- Ua haki ke kaʻina hana o ka hōʻoia ʻana i nā palapala Let's Encrypt i nā noi e pili ana i ka paepae Electron. Ua hoʻoponopono ʻia ka pilikia ma nā mea hou 12.2.1, 13.5.1, 14.1.0, 15.1.0.
- Loaʻa nā pilikia i ke komo ʻana i nā waihona waihona i ka wā e hoʻohana ai i ka luna pūʻolo APT e pili ana me nā mana kahiko o ka waihona GnuTLS. Ua hoʻopilikia ʻia ʻo Debian 9 e ka pilikia, ka mea i hoʻohana i kahi pūʻulu GnuTLS unpatched, i alakaʻi i nā pilikia i ke komo ʻana i ka deb.debian.org no nā mea hoʻohana ʻaʻole i hoʻokomo i ka hoʻonui i ka manawa (ua hāʻawi ʻia ka hoʻoponopono gnutls28-3.5.8-5+deb9u6. ma ka la 17 o Sepatemaba). Ma ke ʻano he hana hoʻoponopono, ʻōlelo ʻia e wehe iā DST_Root_CA_X3.crt mai ka faila /etc/ca-certificates.conf.
- Ua hoʻopau ʻia ka hana o ka acme-client i ka pahu hoʻolaha no ka hana ʻana i nā pā ahi OPNsense; ua hōʻike mua ʻia ka pilikia, akā ʻaʻole hiki i nā mea hoʻomohala ke hoʻokuʻu i kahi pā i ka manawa.
- Ua pili ka pilikia i ka pūʻolo OpenSSL 1.0.2k ma RHEL/CentOS 7, akā i hoʻokahi pule i hala aku nei he mea hou i ka ca-certificates-7-7.el2021.2.50_72.noarch package no RHEL 7 a me CentOS 9, kahi i hana ʻia ai ka IdenTrust. ua wehe ʻia ka palapala hōʻoia, i.e. ua ālai ʻia ka hōʻike ʻana o ka pilikia ma mua. Ua paʻi ʻia kahi mea hou like i hoʻokahi pule aku nei no Ubuntu 16.04, Ubuntu 14.04, Ubuntu 21.04, Ubuntu 20.04 a me Ubuntu 18.04. No ka hoʻokuʻu ʻia ʻana o nā mea hou, ʻo ka pilikia me ka nānā ʻana i nā palapala Let's Encrypt i pili wale i nā mea hoʻohana o nā lālā kahiko o RHEL/CentOS a me Ubuntu ʻaʻole i hoʻokomo mau i nā mea hou.
- Ua haki ke kaʻina hana hōʻoia hōʻoia ma grpc.
- ʻAʻole i hāʻule ke kūkulu ʻia ʻana o ka platform Cloudflare Pages.
- Nā pilikia ma Amazon Web Services (AWS).
- Pilikia nā mea hoʻohana o DigitalOcean i ka hoʻopili ʻana i ka waihona.
- Ua hāʻule ka paepae kapuaʻi Netlify.
- Nā pilikia i ke komo ʻana i nā lawelawe Xero.
- ʻAʻole hiki ke hoʻāʻo e hoʻokumu i kahi pilina TLS i ka API Web o ka lawelawe MailGun.
- Paʻa i nā mana o macOS a me IOS (11, 13, 14), ʻaʻole pono i hoʻopilikia ʻia e ka pilikia.
- Ua hāʻule nā lawelawe Catchpoint.
- Ua hewa ka hōʻoia ʻana i nā palapala hōʻoia ke komo ʻana i ka PostMan API.
- Ua hāʻule ka pā ahi kiaʻi.
- Ua haki ka ʻaoʻao kākoʻo monday.com.
- Ua hāʻule ke kahua Cerb.
- ʻAʻole i hāʻule ka nānā ʻana i ka wā ma ka Google Cloud Monitoring.
- Hoʻopuka me ka hōʻoia hōʻoia ma Cisco Umbrella Secure Web Gateway.
- Nā pilikia e pili ana iā Bluecoat a me Palo Alto proxies.
- Loaʻa iā OVHcloud nā pilikia e pili ana i ka OpenStack API.
- Nā pilikia me ka hoʻopuka ʻana i nā hōʻike ma Shopify.
- Aia nā pilikia i ke komo ʻana i ka Heroku API.
- Hāʻule ka Ledger Live Manager.
- Ua hewa ka hōʻoia hōʻoia ma Facebook App Developer Tools.
- Nā pilikia ma Sophos SG UTM.
- Nā pilikia me ka hōʻoia hōʻoia ma cPanel.
Source: opennet.ru