Let's Encrypt, bungwe loyang'anira satifiketi yopanda phindu lomwe limayang'aniridwa ndi anthu ammudzi ndipo limapereka ziphaso kwaulere kwa aliyense, lidalengeza kuchotsedwa koyambirira kwa ziphaso za TLS pafupifupi miliyoni ziwiri, zomwe ndi pafupifupi 1% ya ziphaso zonse zogwira ntchito zaulamuliro wa certification. Kuthetsedwa kwa satifiketi kudayambika chifukwa chodziwika kuti sakutsata zofunikira mu code yomwe yagwiritsidwa ntchito mu Let's Encrypt ndikukhazikitsa kukulitsa kwa TLS-ALPN-01 (RFC 7301, Application-Layer Protocol Negotiation). Kusiyanaku kudachitika chifukwa chosowa macheke ena omwe adachitika panthawi yolumikizirana potengera kukulitsa kwa ALPN TLS komwe kumagwiritsidwa ntchito mu HTTP/2. Tsatanetsatane wa zomwe zachitikazi zidzasindikizidwa kuthetsedwa kwa ziphaso zovuta kumalizidwa.
Pa Januware 26 pa 03:48 (MSK) vuto lidakonzedwa, koma ziphaso zonse zomwe zidaperekedwa pogwiritsa ntchito njira ya TLS-ALPN-01 zotsimikizira zidasankhidwa kukhala zosavomerezeka. Kuchotsedwa kwa satifiketi kudzayamba pa Januware 28 nthawi ya 19:00 (MSK). Mpaka nthawi ino, ogwiritsa ntchito njira yotsimikizira ya TLS-ALPN-01 akulangizidwa kuti asinthe ziphaso zawo, apo ayi zidzakhala zosavomerezeka msanga.
Zidziwitso zokhudza kufunika kokonzanso ma satifiketi zatumizidwa kudzera pa imelo. Ogwiritsa ntchito omwe amagwiritsa ntchito Certbot ndi zida zouma kuti apeze ma satifiketi okhala ndi makonda okhazikika sakhudzidwa ndi vutoli. Njira ya TLS-ALPN-01 imathandizidwa mu phukusi la Caddy, Traefik, Apache mod_md, ndi autocert. Mutha kutsimikizira kutsimikizika kwa ma satifiketi anu pofufuza ma identifiers, serial numbers, kapena madera pamndandanda wa zikalata zovuta.
Popeza kusintha kumakhudza khalidwe poyang'ana pogwiritsa ntchito njira ya TLS-ALPN-01, kukonzanso kasitomala wa ACME kapena kusintha makonzedwe (Caddy, bitnami / bn-cert, autocert, apache mod_md, Traefik) angafunike kuti apitirize kugwira ntchito. Zosinthazi zikuphatikiza kugwiritsa ntchito mitundu ya TLS yosachepera 1.2 (makasitomala sadzathanso kugwiritsa ntchito TLS 1.1) komanso kuchotsedwa kwa OID 1.3.6.1.5.5.7.1.30.1, komwe kumazindikiritsa kukulitsa kwa acmeIdentifier kwakanthawi, komwe kumathandizidwa kale. zojambula za RFC 8737 (pamene mukupanga satifiketi, tsopano OID 1.3.6.1.5.5.7.1.31 Yokha ndiyololedwa, ndipo makasitomala omwe amagwiritsa ntchito OID 1.3.6.1.5.5.7.1.30.1 sangathe kupeza satifiketi).
Source: opennet.ru
