ProHoster > Блог > xov xwm hauv internet > AddTrust hauv paus daim ntawv pov thawj deprecation ua rau poob ntawm OpenSSL thiab GnuTLS systems
AddTrust hauv paus daim ntawv pov thawj deprecation ua rau poob ntawm OpenSSL thiab GnuTLS systems
Thaum lub Tsib Hlis 30, lub sijhawm 20-xyoo siv tau ntawm daim ntawv pov thawj hauv paus tau tas sijhawm AddTrust, uas siv tsim kom muaj tus ntoo khaub lig kos npe rau hauv daim ntawv pov thawj ntawm ib qho ntawm cov ntawv pov thawj loj tshaj plaws Sectigo (Comodo). Hla-kos npe tso cai rau kev sib raug zoo nrog cov cuab yeej cuab tam qub uas tsis muaj daim ntawv pov thawj tshiab USERTRust hauv paus ntxiv rau lawv lub hauv paus daim ntawv pov thawj khw.
Raws li txoj cai, kev txiav tawm ntawm AddTrust hauv paus daim ntawv pov thawj yuav tsum tsuas yog ua rau muaj kev ua txhaum ntawm kev sib raug zoo nrog cov txheej txheem qub (Android 2.3, Windows XP, Mac OS X 10.11, iOS 9, thiab lwm yam), txij li daim ntawv pov thawj thib ob siv nyob rau hauv tus ntoo khaub lig kos npe tseem nyob. siv tau thiab niaj hnub browsers coj nws mus rau hauv tus account thaum tshawb xyuas cov saw ntawm kev ntseeg siab. Ntawm kev xyaum tshwm sim Teeb meem nrog kev txheeb xyuas tus lej kos npe hauv cov neeg siv tsis yog browser TLS, suav nrog cov raws li OpenSSL 1.0.x thiab GnuTLS. Kev ruaj ntseg kev twb kev txuas tsis tau tsim lawm nrog ib qho kev ua yuam kev qhia tias daim ntawv pov thawj tsis dhau hnub yog tias tus neeg rau zaub mov siv daim ntawv pov thawj Sectigo txuas los ntawm cov saw ntawm kev ntseeg siab rau AddTrust daim ntawv pov thawj hauv paus.
Yog tias cov neeg siv ntawm cov browsers niaj hnub tsis pom qhov ua tsis tiav ntawm AddTrust hauv paus daim ntawv pov thawj thaum ua cov ntawv pov thawj Sectigo cross-signed, ces cov teeb meem pib tshwm sim hauv ntau daim ntawv thov thib peb thiab cov neeg ua haujlwm sab nraud, uas ua rau ua txhaum caiua hauj lwm ntau cov infrastructures uas siv cov kev sib txuas lus encrypted rau kev sib cuam tshuam ntawm cov khoom.
Piv txwv li, muaj teeb meem Nrog rau kev nkag mus rau qee qhov chaw khaws cia hauv Debian thiab Ubuntu (apt pib tsim daim ntawv pov thawj kev ua yuam kev), thov los ntawm cov ntawv siv "curl" thiab "wget" cov khoom siv tau pib ua tsis tiav, kev ua yuam kev tau pom thaum siv Git, ua txhaum Roku streaming platform ua haujlwm, cov neeg ua haujlwm tsis raug hu Stripe и DataDog, pib kev sib tsoo tshwm sim hauv Heroku apps, nres OpenLDAP cov neeg siv txuas, teeb meem nrog kev xa ntawv mus rau SMTPS thiab SMTP servers nrog STARTTLS raug kuaj pom. Tsis tas li ntawd, cov teeb meem tau pom nyob rau hauv ntau yam Ruby, PHP thiab Python scripts uas siv lub module nrog tus neeg siv http. Browser teeb meem cuam tshuam Epiphany, uas tso tseg tsis thauj cov npe thaiv cov npe.
Cov kev pab cuam Go tsis cuam tshuam los ntawm qhov teeb meem no vim Go muaj tus kheej kev siv TLS.
Nws yog assumedtias qhov teeb meem cuam tshuam rau cov kev faib tawm qub (xws li Debian 9, Ubuntu 16.04, RHEL 6/7) uas siv teeb meem OpenSSL ceg, tab sis qhov teeb meem manifested nws tus kheej kuj thaum tus thawj tswj pob APT tab tom khiav tam sim no tawm ntawm Debian 10 thiab Ubuntu 18.04/20.04, txij li APT siv GnuTLS lub tsev qiv ntawv. Qhov tseem ceeb ntawm qhov teeb meem yog tias ntau lub tsev qiv ntawv TLS / SSL parse ib daim ntawv pov thawj raws li cov kab sib txuas, thaum raws li RFC 4158, daim ntawv pov thawj tuaj yeem sawv cev rau ib daim duab qhia qhia ncig nrog ntau qhov kev ntseeg siab uas yuav tsum tau coj mus rau hauv tus account. Txog qhov tsis zoo no hauv OpenSSL thiab GnuTLS yogpaubtau ntau xyoo. Hauv OpenSSL qhov teeb meem tau kho hauv ceg 1.1.1, thiab hauv gnuTLS seem tsis raug.
Raws li kev ua haujlwm, nws tau hais kom tshem tawm daim ntawv pov thawj "AddTrust External CA Root" los ntawm lub khw muag khoom (piv txwv li, tshem tawm ntawm /etc/ca-certificates.conf thiab /etc/ssl/certs, thiab tom qab ntawd khiav "hloov-ca" -certificates -f -v"), tom qab uas OpenSSL pib ib txwm ua cov ntawv hla kev kos npe nrog nws txoj kev koom tes. Thaum siv APT tus thawj tswj hwm pob, koj tuaj yeem kaw daim ntawv pov thawj rau ib tus neeg thov ntawm koj tus kheej qhov kev pheej hmoo (piv txwv li, "apt-tau hloov tshiab -o Tau::https::download.jitsi.org::Verify-Peer=false") .
Txhawm rau thaiv qhov teeb meem hauv Fedora и RHEL Nws tau thov kom ntxiv daim ntawv pov thawj AddTrust rau hauv blacklist: