ProHoster > Блог > ozi ịntanetị > Mbelata akwụkwọ mgbọrọgwụ AddTrust na-ebute mkpọka na sistemụ OpenSSL na GnuTLS
Mbelata akwụkwọ mgbọrọgwụ AddTrust na-ebute mkpọka na sistemụ OpenSSL na GnuTLS
On May 30, na 20-afọ ndaba oge nke mgbọrọgwụ akwụkwọ kubie ume TinyeTrustnke etinyere iji wepụta obe-binyere aka na asambodo nke otu n'ime ndị isi asambodo Sectigo (Comodo). A na-enye ohere ịbanye n'ime obe maka ndakọrịta na ngwaọrụ ihe nketa na-enweghị akwụkwọ mgbọrọgwụ USERTRust ọhụrụ agbakwunyere na ụlọ ahịa akwụkwọ mgbọrọgwụ ha.
Theoretically, nchupu nke AddTrust mgbọrọgwụ akwụkwọ kwesịrị naanị iduga mmebi nke ndakọrịta na usoro nketa (Android 2.3, Windows XP, Mac OS X 10.11, iOS 9, wdg), ebe ọ bụ na nke abụọ mgbọrọgwụ akwụkwọ eji na cross-mbinye aka na-anọgide. ihe nchọgharị dị irè na nke ọgbara ọhụrụ na-eburu ya n'uche mgbe ị na-elele usoro ntụkwasị obi. Na omume gosiri Nsogbu dị na nkwenye mbinye aka n'ime ndị ahịa TLS na-abụghị ihe nchọgharị, gụnyere ndị dabere na OpenSSL 1.0.x na GnuTLS. Enwekwaghị njikọ echekwara na njehie na-egosi na akwụkwọ agwụlala ma ọ bụrụ na ihe nkesa na-eji akwụkwọ Sectigo jikọtara ya na agbụ ntụkwasị obi na akwụkwọ mgbọrọgwụ AddTrust.
Ọ bụrụ na ndị ọrụ nke ihe nchọgharị ọgbara ọhụrụ achọpụtaghị na akwụkwọ mgbọrọgwụ AddTrust akwụsịla mgbe ị na-ahazi asambodo Sectigo bịanyere aka na ya, mgbe ahụ nsogbu malitere ịrị elu na ngwa ndị ọzọ dị iche iche na ndị na-ahụ maka ihe nkesa, nke butere ya. imebiработы ọtụtụ akụrụngwa na-eji ọwa nkwukọrịta ezoro ezo maka mmekọrịta n'etiti akụrụngwa.
Dị ka ihe atụ, e nwere ntinye site na ịnweta ụfọdụ ebe nchekwa ngwugwu na Debian na Ubuntu (apt malitere ịmepụta njehie nkwenye akwụkwọ), arịrịọ sitere na scripts site na iji "curl" na "wget" utilities malitere ịda, ahụrụ njehie mgbe ị na-eji Git, mebiri emebi Roku gụgharia ikpo okwu na-arụ ọrụ, anaghịzi akpọ ndị njikwa straipu и DataDog, malitere mkpọka emee na ngwa Heroku, kwụsịrị Ndị ahịa OpenLDAP na-ejikọta, nsogbu na izipu ozi na SMTPS na sava SMTP nwere STARTTLS ka achọpụtara. Na mgbakwunye, a na-ahụ nsogbu na edemede Ruby, PHP na Python dị iche iche na-eji modul nwere onye ahịa http. Nsogbu ihe nchọgharị na-emetụta Epiphany, nke kwụsịrị ibunye ndepụta igbochi mgbasa ozi.
Ewere yana nsogbu ahụ na-emetụta mwepụta nkesa ochie (gụnyere Debian 9, Ubuntu 16.04, RHEL 6/7) nke na-eji alaka OpenSSL nsogbu, mana nsogbu gosipụtara onwe ya nakwa mgbe onye njikwa ngwugwu APT na-agba ọsọ na mwepụta Debian 10 na Ubuntu 18.04/20.04 ugbu a, ebe APT na-eji ọbá akwụkwọ GnuTLS. Isi nsogbu nke nsogbu ahụ bụ na ọtụtụ ọba akwụkwọ TLS/SSL na-enyocha asambodo dị ka eriri ahịrị, ebe dị ka RFC 4158 si kwuo, asambodo nwere ike ịnọchite anya eserese okirikiri ekesa ekesara nwere ọtụtụ arịlịka ntụkwasị obi kwesịrị iburu n'uche. Banyere ntụpọ a na OpenSSL na GnuTLS bụa maararuo ọtụtụ afọ. Na OpenSSL, edozi nsogbu ahụ na alaka 1.1.1, yana n'ime gnuTLS foduru emezighi ya.
Dị ka ihe na-arụ ọrụ, a na-atụ aro ka iwepu akwụkwọ "AddTrust External CA Root" na ụlọ ahịa sistemụ (dịka ọmụmaatụ, wepụ na /etc/ca-certificates.conf na /etc/ssl/certs, wee mee "update-ca"). -certificates -f -v"), emesia OpenSSL na-amalite ịhazi asambodo mbinye aka na nsonye ya. Mgbe ị na-eji njikwa ngwugwu APT, ị nwere ike gbanyụọ nkwenye asambodo maka arịrịọ onye ọ bụla n'ihe egwu nke gị (dịka ọmụmaatụ, “apt-get update -o Acquire::https://download.jitsi.org::Verify-Peer=false”) .
Iji gbochie nsogbu n'ime Fedora и RHEL A na-atụ aro ịgbakwunye asambodo AddTrust na ndetu ojii:
Ma usoro a anaghị arụ ọrụ maka GnuTLS (dịka ọmụmaatụ, njehie nkwenye akwụkwọ na-aga n'ihu na-apụta mgbe ị na-arụ ọrụ wget).
N'akụkụ nkesa ị nwere ike gbanweeiwu na-edepụta asambodo n'ime agbụ ntụkwasị obi nke ihe nkesa zigara onye ahịa (ọ bụrụ na ewepụrụ asambodo ya na “AddTrust External CA Root” na listi ahụ, mgbe ahụ nkwenye nke onye ahịa ga-aga nke ọma). Ka ịlele na ịmepụta usoro ntụkwasị obi ọhụrụ, ị nwere ike iji ọrụ ahụ whatsmychaincert.com. Sectigo kwa enyere asambodo etiti mbinye aka n'ofe ọzọ"Ọrụ Asambodo AAA", nke ga-adị irè ruo 2028 ma ga-ejigide ndakọrịta na ụdị OS ochie.
Mgbakwunye: Nsogbu nwekwara ngwa ngwa na LibreSSL.