Thaum lub Tsib Hlis 30, lub sijhawm 20-xyoo siv tau ntawm daim ntawv pov thawj hauv paus tau tas sijhawm , uas tsim kom muaj tus ntoo khaub lig kos npe rau hauv daim ntawv pov thawj ntawm ib qho ntawm cov ntawv pov thawj loj tshaj plaws Sectigo (Comodo). Hla-kos npe tso cai rau kev sib raug zoo nrog cov cuab yeej cuab tam qub uas tsis muaj daim ntawv pov thawj tshiab USERTRust hauv paus ntxiv rau lawv lub hauv paus daim ntawv pov thawj khw.
Raws li txoj cai, kev txiav tawm ntawm AddTrust hauv paus daim ntawv pov thawj yuav tsum tsuas yog ua rau muaj kev ua txhaum ntawm kev sib raug zoo nrog cov txheej txheem qub (Android 2.3, Windows XP, Mac OS X 10.11, iOS 9, thiab lwm yam), txij li daim ntawv pov thawj thib ob siv nyob rau hauv tus ntoo khaub lig kos npe tseem nyob. siv tau thiab niaj hnub browsers coj nws mus rau hauv tus account thaum tshawb xyuas cov saw ntawm kev ntseeg siab. Ntawm kev xyaum Teeb meem nrog kev txheeb xyuas tus lej kos npe hauv cov neeg siv tsis yog browser TLS, suav nrog cov raws li OpenSSL 1.0.x thiab GnuTLS. Kev ruaj ntseg kev twb kev txuas tsis tau tsim lawm nrog ib qho kev ua yuam kev qhia tias daim ntawv pov thawj tsis dhau hnub yog tias tus neeg rau zaub mov siv daim ntawv pov thawj Sectigo txuas los ntawm cov saw ntawm kev ntseeg siab rau AddTrust daim ntawv pov thawj hauv paus.
Yog tias cov neeg siv ntawm cov browsers niaj hnub tsis pom qhov ua tsis tiav ntawm AddTrust hauv paus daim ntawv pov thawj thaum ua cov ntawv pov thawj Sectigo cross-signed, ces cov teeb meem pib tshwm sim hauv ntau daim ntawv thov thib peb thiab cov neeg ua haujlwm sab nraud, uas ua rau ntau cov infrastructures uas siv cov kev sib txuas lus encrypted rau kev sib cuam tshuam ntawm cov khoom.
Piv txwv li, muaj Nrog rau kev nkag mus rau qee qhov chaw khaws cia hauv Debian thiab Ubuntu (apt pib tsim daim ntawv pov thawj kev ua yuam kev), thov los ntawm cov ntawv siv "curl" thiab "wget" cov khoom siv tau pib ua tsis tiav, kev ua yuam kev tau pom thaum siv Git, Roku streaming platform ua haujlwm, cov neeg ua haujlwm tsis raug hu и , pib hauv Heroku apps, OpenLDAP cov neeg siv txuas, teeb meem nrog kev xa ntawv mus rau SMTPS thiab SMTP servers nrog STARTTLS raug kuaj pom. Tsis tas li ntawd, cov teeb meem tau pom nyob rau hauv ntau yam Ruby, PHP thiab Python scripts uas siv lub module nrog tus neeg siv http. Browser teeb meem Epiphany, uas tso tseg tsis thauj cov npe thaiv cov npe.
Cov kev pab cuam Go tsis cuam tshuam los ntawm qhov teeb meem no vim Go muaj TLS.
tias qhov teeb meem cuam tshuam rau cov kev faib tawm qub (xws li Debian 9, Ubuntu 16.04, ) uas siv teeb meem OpenSSL ceg, tab sis qhov teeb meem kuj thaum tus thawj tswj pob APT tab tom khiav tam sim no tawm ntawm Debian 10 thiab Ubuntu 18.04/20.04, txij li APT siv GnuTLS lub tsev qiv ntawv. Qhov tseem ceeb ntawm qhov teeb meem yog tias ntau lub tsev qiv ntawv TLS / SSL parse ib daim ntawv pov thawj raws li cov kab sib txuas, thaum raws li RFC 4158, daim ntawv pov thawj tuaj yeem sawv cev rau ib daim duab qhia qhia ncig nrog ntau qhov kev ntseeg siab uas yuav tsum tau coj mus rau hauv tus account. Txog qhov tsis zoo no hauv OpenSSL thiab GnuTLS . Hauv OpenSSL qhov teeb meem tau kho hauv ceg 1.1.1, thiab hauv seem .
Raws li kev ua haujlwm, nws tau hais kom tshem tawm daim ntawv pov thawj "AddTrust External CA Root" los ntawm lub khw muag khoom (piv txwv li, tshem tawm ntawm /etc/ca-certificates.conf thiab /etc/ssl/certs, thiab tom qab ntawd khiav "hloov-ca" -certificates -f -v"), tom qab uas OpenSSL pib ib txwm ua cov ntawv hla kev kos npe nrog nws txoj kev koom tes. Thaum siv APT tus thawj tswj hwm pob, koj tuaj yeem kaw daim ntawv pov thawj rau ib tus neeg thov ntawm koj tus kheej qhov kev pheej hmoo (piv txwv li, "apt-tau hloov tshiab -o Tau::https::download.jitsi.org::Verify-Peer=false") .
Txhawm rau thaiv qhov teeb meem hauv и Nws tau thov kom ntxiv daim ntawv pov thawj AddTrust rau hauv blacklist:
trust dump —filter «pkcs11:id=%AD%BD%98%7A%34%B4%26%F7%FA%C4%26%54%EF%03%BD%E0%24%CB%54%1A;type=cert» \
> /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit
update-ca-trust extract
Tab sis txoj kev no rau GnuTLS (piv txwv li, daim ntawv pov thawj kev ua yuam kev tseem tshwm sim thaum khiav wget utility).
Nyob rau sab server koj tuaj yeem sau cov ntawv pov thawj hauv kev ntseeg siab xa los ntawm tus neeg rau zaub mov rau tus neeg siv khoom (yog tias daim ntawv pov thawj cuam tshuam nrog "AddTrust External CA Root" raug tshem tawm ntawm daim ntawv, ces tus neeg siv khoom pov thawj yuav ua tiav). Txhawm rau txheeb xyuas thiab tsim cov saw hlau tshiab ntawm kev ntseeg siab, koj tuaj yeem siv qhov kev pabcuam . Sectigo kuj lwm daim ntawv pov thawj cross-signed intermediate "", uas yuav siv tau kom txog rau thaum 2028 thiab yuav muaj kev sib raug zoo nrog cov laus ntawm OS.
Ntxiv: Teeb meem kuj hauv LibreSSL.
Tau qhov twg los: opennet.ru