Ma Sepatemaba 30 ma 17:01 Moscow manawa, ka IdenTrust palapala kumu (DST Root CA X3), i hoʻohana 'ia e kea-kau i ka palapala kumu o ka Let's Encrypt palapala mana (ISRG Root X1), i hoomaluia e ke kaiāulu a hāʻawi i nā palapala hōʻoia me ka uku ʻole i nā mea a pau, pau. ʻO ke kau inoa ʻana i hōʻoia ʻia e hilinaʻi ʻia nā palapala Let's Encrypt ma nā ʻano mea like ʻole, nā ʻōnaehana hana, a me nā mākaʻikaʻi ʻoiai ua hoʻohui ʻia kā Let's Encrypt palapala kumu ponoʻī i loko o nā hale kūʻai palapala kumu.
Ua hoʻolālā mua ʻia ma hope o ka pau ʻana o ka DST Root CA X3, e hoʻololi ka papahana Let's Encrypt i ka hana ʻana i nā pūlima me ka hoʻohana wale ʻana i kāna palapala aʻa, akā ʻo ia neʻe e alakaʻi i ka nalowale o ka launa pū ʻana me ka nui o nā ʻōnaehana kahiko ʻaʻole. hoʻohui i ka palapala aʻa Let's Encrypt i kā lākou waihona. ʻO ka mea kūikawā, ma kahi o 30% o nā polokalamu Android i hoʻohana ʻia ʻaʻohe ʻikepili ma ka palapala Let's Encrypt root, kākoʻo i ʻike ʻia e hoʻomaka wale ana me ka Android 7.1.1 platform, i hoʻokuʻu ʻia ma ka hopena o 2016.
Let's Encrypt 'a'ole i ho'olālā e komo i loko o ka 'aelike hou kea, e like me keia e kau aku i ke kuleana hou aku i na aoao o ka aelike, hoonele ia lakou i ke kuokoa, a nakinaki i ko lakou mau lima ma ke ano o ka hooko ana i na kaʻina hana a me na rula o kekahi mana palapala. Akā ma muli o nā pilikia e pili ana i ka nui o nā polokalamu Android, ua hoʻoponopono hou ʻia ka hoʻolālā. Ua hoʻopau ʻia kahi ʻaelike hou me ka mana hōʻoia ʻo IdenTrust, i loko o ke ʻano i hana ʻia ai kahi palapala kikowaena Let's Encrypt i hoʻopaʻa inoa ʻia. E paʻa ka pūlima kea no ʻekolu makahiki a mālama ʻia ke kākoʻo no nā polokalamu Android e hoʻomaka ana me ka mana 2.3.6.
Eia nō naʻe, ʻaʻole uhi ka palapala kikowaena hou i nā ʻōnaehana hoʻoilina ʻē aʻe. No ka laʻana, i ka wā e pau ai ka palapala hōʻoia DST Root CA X3 i ka lā 30 Kepakemapa, ʻaʻole e ʻae hou ʻia nā palapala Let's Encrypt ma nā ʻōnaehana kākoʻo ʻole a me nā ʻōnaehana hana e koi ai i ka hoʻohui lima ʻana i ka palapala ISRG Root X1 i ka hale kūʻai palapala kumu e hōʻoia i ka hilinaʻi i nā palapala Let's Encrypt. . E hōʻike ʻia nā pilikia ma:
- OpenSSL a hiki i ka lālā 1.0.2 komo (ua hoʻopau ʻia ka mālama ʻana o ka lālā 1.0.2 i Dekemaba 2019);
- NSS < 3.26;
- Iava 8 < 8u141, Iava 7 < 7u151;
- Windows < XP SP3;
- macOS <10.12.1;
- iOS <10 (iPhone <5);
- Android < 2.3.6;
- Mozilla Firefox <50;
- Ubuntu < 16.04;
- Debian < 8.
Ma ka hihia o OpenSSL 1.0.2, pilikia ka pilikia ma muli o kahi pahu e pale ai i ka hana pono ʻana i nā palapala hōʻoia i kau inoa ʻia inā pau kekahi o nā palapala kumu i hoʻohana ʻia no ke kau inoa ʻana, ʻoiai inā e mau ana nā kaulahao hilinaʻi ʻē aʻe. Ua puka mua ka pilikia i ka makahiki i hala ma hope o ka hoʻohana ʻana o ka palapala AddTrust e kau inoa i nā palapala hōʻoia mai ka mana hōʻoia ʻo Sectigo (Comodo). ʻO ke kumu o ka pilikia, ʻo OpenSSL i hoʻokaʻawale i ka palapala hōʻoia ma ke ʻano he kaulahao laina, ʻoiai e like me ka RFC 4158, hiki i kahi palapala hōʻoia ke hōʻike i kahi pakuhi pōʻai i kuhikuhi ʻia me nā heleuma hilinaʻi he nui e pono e mālama ʻia.
Hāʻawi ʻia nā mea hoʻohana o nā māhele kahiko e pili ana i ka OpenSSL 1.0.2 i ʻekolu workarounds e hoʻoponopono i ka pilikia:
- Wehe lima lima i ka palapala aʻa IdenTrust DST Root CA X3 a hoʻokomo i ka palapala aʻa kū hoʻokahi (ʻaʻole i kau inoa kea) ISRG Root X1.
- Ke holo nei i ka openssl verify a me nā kauoha s_client, hiki iā ʻoe ke kuhikuhi i ke koho "--trusted_first".
- E hoʻohana ma ka kikowaena i kahi palapala hōʻoia i hōʻoia ʻia e kahi palapala aʻa ʻokoʻa SRG Root X1, ʻaʻohe ona inoa keʻa. E alakaʻi kēia ala i ka nalowale o ka launa pū me nā mea kūʻai aku Android kahiko.
Eia hou, hiki iā mākou ke hoʻomaopopo ua lanakila ka papahana Let's Encrypt i ka milestone o ʻelua piliona palapala i hana ʻia. Ua hoʻokō ʻia ka milestone hoʻokahi i Pepeluali i ka makahiki i hala. 2.2-2.4 miliona mau palapala hōʻoia hou i hana ʻia i kēlā me kēia lā. ʻO ka helu o nā palapala hōʻoia he 192 miliona (he palapala hōʻoia no ʻekolu mahina) a uhi ʻia ma kahi o 260 miliona mau kikowaena (195 miliona mau inoa i uhi ʻia i hoʻokahi makahiki i hala, 150 miliona ʻelua makahiki i hala, 60 miliona ʻekolu makahiki i hala). Wahi a nā helu helu mai ka lawelawe ʻo Firefox Telemetry, ʻo ka māhele honua o nā noi ʻaoʻao ma o HTTPS he 82% (hoʻokahi makahiki i hala - 81%, ʻelua makahiki i hala - 77%, ʻekolu makahiki i hala - 69%, ʻehā makahiki i hala - 58%).
Source: opennet.ru