On May 30, na 20-afọ ndaba oge nke mgbọrọgwụ akwụkwọ kubie ume nke iji wepụta obe-binyere aka na asambodo nke otu n'ime ndị isi asambodo Sectigo (Comodo). A na-enye ohere ịbanye n'ime obe maka ndakọrịta na ngwaọrụ ihe nketa na-enweghị akwụkwọ mgbọrọgwụ USERTRust ọhụrụ agbakwunyere na ụlọ ahịa akwụkwọ mgbọrọgwụ ha.
Theoretically, nchupu nke AddTrust mgbọrọgwụ akwụkwọ kwesịrị naanị iduga mmebi nke ndakọrịta na usoro nketa (Android 2.3, Windows XP, Mac OS X 10.11, iOS 9, wdg), ebe ọ bụ na nke abụọ mgbọrọgwụ akwụkwọ eji na cross-mbinye aka na-anọgide. ihe nchọgharị dị irè na nke ọgbara ọhụrụ na-eburu ya n'uche mgbe ị na-elele usoro ntụkwasị obi. Na omume Nsogbu dị na nkwenye mbinye aka n'ime ndị ahịa TLS na-abụghị ihe nchọgharị, gụnyere ndị dabere na OpenSSL 1.0.x na GnuTLS. Enwekwaghị njikọ echekwara na njehie na-egosi na akwụkwọ agwụlala ma ọ bụrụ na ihe nkesa na-eji akwụkwọ Sectigo jikọtara ya na agbụ ntụkwasị obi na akwụkwọ mgbọrọgwụ AddTrust.
Ọ bụrụ na ndị ọrụ nke ihe nchọgharị ọgbara ọhụrụ achọpụtaghị na akwụkwọ mgbọrọgwụ AddTrust akwụsịla mgbe ị na-ahazi asambodo Sectigo bịanyere aka na ya, mgbe ahụ nsogbu malitere ịrị elu na ngwa ndị ọzọ dị iche iche na ndị na-ahụ maka ihe nkesa, nke butere ya. ọtụtụ akụrụngwa na-eji ọwa nkwukọrịta ezoro ezo maka mmekọrịta n'etiti akụrụngwa.
Dị ka ihe atụ, e nwere site na ịnweta ụfọdụ ebe nchekwa ngwugwu na Debian na Ubuntu (apt malitere ịmepụta njehie nkwenye akwụkwọ), arịrịọ sitere na scripts site na iji "curl" na "wget" utilities malitere ịda, ahụrụ njehie mgbe ị na-eji Git, Roku gụgharia ikpo okwu na-arụ ọrụ, anaghịzi akpọ ndị njikwa и , malitere na ngwa Heroku, Ndị ahịa OpenLDAP na-ejikọta, nsogbu na izipu ozi na SMTPS na sava SMTP nwere STARTTLS ka achọpụtara. Na mgbakwunye, a na-ahụ nsogbu na edemede Ruby, PHP na Python dị iche iche na-eji modul nwere onye ahịa http. Nsogbu ihe nchọgharị Epiphany, nke kwụsịrị ibunye ndepụta igbochi mgbasa ozi.
Nsogbu a anaghị emetụta mmemme Go n'ihi na Go na-enye TLS.
na nsogbu ahụ na-emetụta mwepụta nkesa ochie (gụnyere Debian 9, Ubuntu 16.04, ) nke na-eji alaka OpenSSL nsogbu, mana nsogbu nakwa mgbe onye njikwa ngwugwu APT na-agba ọsọ na mwepụta Debian 10 na Ubuntu 18.04/20.04 ugbu a, ebe APT na-eji ọbá akwụkwọ GnuTLS. Isi nsogbu nke nsogbu ahụ bụ na ọtụtụ ọba akwụkwọ TLS/SSL na-enyocha asambodo dị ka eriri ahịrị, ebe dị ka RFC 4158 si kwuo, asambodo nwere ike ịnọchite anya eserese okirikiri ekesa ekesara nwere ọtụtụ arịlịka ntụkwasị obi kwesịrị iburu n'uche. Banyere ntụpọ a na OpenSSL na GnuTLS . Na OpenSSL, edozi nsogbu ahụ na alaka 1.1.1, yana n'ime foduru .
Dị ka ihe na-arụ ọrụ, a na-atụ aro ka iwepu akwụkwọ "AddTrust External CA Root" na ụlọ ahịa sistemụ (dịka ọmụmaatụ, wepụ na /etc/ca-certificates.conf na /etc/ssl/certs, wee mee "update-ca"). -certificates -f -v"), emesia OpenSSL na-amalite ịhazi asambodo mbinye aka na nsonye ya. Mgbe ị na-eji njikwa ngwugwu APT, ị nwere ike gbanyụọ nkwenye asambodo maka arịrịọ onye ọ bụla n'ihe egwu nke gị (dịka ọmụmaatụ, “apt-get update -o Acquire::https://download.jitsi.org::Verify-Peer=false”) .
Iji gbochie nsogbu n'ime и A na-atụ aro ịgbakwunye asambodo AddTrust na ndetu ojii:
trust dump —filter «pkcs11:id=%AD%BD%98%7A%34%B4%26%F7%FA%C4%26%54%EF%03%BD%E0%24%CB%54%1A;type=cert» \
> /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit
update-ca-trust wepụ
Ma usoro a maka GnuTLS (dịka ọmụmaatụ, njehie nkwenye akwụkwọ na-aga n'ihu na-apụta mgbe ị na-arụ ọrụ wget).
N'akụkụ nkesa ị nwere ike na-edepụta asambodo n'ime agbụ ntụkwasị obi nke ihe nkesa zigara onye ahịa (ọ bụrụ na ewepụrụ asambodo ya na “AddTrust External CA Root” na listi ahụ, mgbe ahụ nkwenye nke onye ahịa ga-aga nke ọma). Ka ịlele na ịmepụta usoro ntụkwasị obi ọhụrụ, ị nwere ike iji ọrụ ahụ . Sectigo kwa asambodo etiti mbinye aka n'ofe ọzọ"", nke ga-adị irè ruo 2028 ma ga-ejigide ndakọrịta na ụdị OS ochie.
Mgbakwunye: Nsogbu nwekwara na LibreSSL.
isi: opennet.ru