Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Zowonongeka mu OpenBSD, DragonFly BSD ndi Electron chifukwa cha kutha kwa satifiketi ya IdenTrust

Zowonongeka mu OpenBSD, DragonFly BSD ndi Electron chifukwa cha kutha kwa satifiketi ya IdenTrust

Kuchotsedwa kwa chiphaso cha mizu ya IdenTrust (DST Root CA X3), chomwe chimagwiritsidwa ntchito kusaina chiphaso cha Let's Encrypt CA root, kwadzetsa mavuto ndi Let's Encrypt satifiketi mumapulojekiti ogwiritsa ntchito mitundu yakale ya OpenSSL ndi GnuTLS. Mavuto adakhudzanso laibulale ya LibreSSL, omwe opanga nawo sanaganizire zomwe zidachitika kale zomwe zidachitika pambuyo poti satifiketi ya mizu ya Sectigo (Comodo) CA's AddTrust itatha.

Tikumbukire kuti mu OpenSSL imatulutsidwa mpaka kunthambi 1.0.2 kuphatikiza komanso mu GnuTLS isanatulutsidwe 3.6.14, panali cholakwika chomwe sichinalole ziphaso zosainidwa kuti zisinthidwe moyenera ngati chimodzi mwa ziphaso zomwe zidagwiritsidwa ntchito kusaina chikatha. , ngakhale zina zovomerezeka zidasungidwa maunyolo odalirika (pankhani ya Tiyeni Tilembetse, kutha kwa satifiketi ya mizu ya IdenTrust kumalepheretsa kutsimikizira, ngakhale dongosololi liri ndi chithandizo cha Let's Encrypt's own root certificate, chovomerezeka mpaka 2030). Mfundo ya cholakwikacho ndi yoti mitundu yakale ya OpenSSL ndi GnuTLS idadula satifiketiyo ngati tcheni cha mzere, pomwe malinga ndi RFC 4158, satifiketi imatha kuyimira graph yozungulira yozungulira yokhala ndi anangula angapo odalirika omwe amafunika kuganiziridwa.

Monga njira yothetsera kulephera, ikufuna kuchotsa chiphaso cha "DST Root CA X3" kuchokera kumalo osungiramo makina (/etc/ca-certificates.conf ndi /etc/ssl/certs), ndiyeno yendetsani lamulo la "update". -ca-zikalata -f -v" "). Pa CentOS ndi RHEL, mutha kuwonjezera satifiketi ya "DST Root CA X3" pamndandanda wakuda: kutaya chikhulupiriro -sefa "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1% 4b%90 %75%ff%c4%15%60%85%89%10" | tsegulani x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem sudo update-ca-trust extract

Zina mwazowonongeka zomwe taziwona zomwe zidachitika pambuyo poti satifiketi ya mizu ya IdenTrust yatha:

  • Mu OpenBSD, chida cha syspatch, chomwe chimagwiritsidwa ntchito kukhazikitsa zosintha zamabina, chasiya kugwira ntchito. Pulojekiti ya OpenBSD lero yatulutsa mwachangu zigamba za nthambi 6.8 ndi 6.9 zomwe zimakonza zovuta mu LibreSSL poyang'ana ziphaso zosainidwa, chimodzi mwama satifiketi omwe ali mugulu la trust lomwe latha. Monga njira yothetsera vutoli, tikulimbikitsidwa kuti musinthe kuchokera ku HTTPS kupita ku HTTP mu /etc/installurl (izi siziwopsyeza chitetezo, popeza zosintha zimatsimikiziridwa ndi siginecha ya digito) kapena sankhani galasi lina (ftp.usa.openbsd. org, ftp.hostserver.de, cdn.openbsd.org). Mukhozanso kuchotsa chiphaso cha mizu cha DST Root CA X3 chomwe chinatha ntchito pa fayilo ya /etc/ssl/cert.pem.
  • Mu DragonFly BSD, zovuta zofananira zimawonedwa mukamagwira ntchito ndi DPorts. Mukayamba woyang'anira phukusi la pkg, cholakwika chotsimikizira satifiketi chikuwonekera. Kukonzaku kudawonjezedwa lero ku nthambi za mbuye, DragonFly_RELEASE_6_0 ndi DragonFly_RELEASE_5_8. Monga njira yogwirira ntchito, mutha kuchotsa satifiketi ya DST Root CA X3.
  • Njira yotsimikizira satifiketi ya Let's Encrypt pamapulogalamu otengera Electron yasweka. Vutoli lidakhazikitsidwa pazosintha 12.2.1, 13.5.1, 14.1.0, 15.1.0.
  • Zogawa zina zimakhala ndi vuto lopeza nkhokwe za phukusi mukamagwiritsa ntchito woyang'anira phukusi wa APT wolumikizidwa ndi mitundu yakale ya laibulale ya GnuTLS. Debian 9 idakhudzidwa ndi vutoli, yomwe idagwiritsa ntchito phukusi la GnuTLS losasinthidwa, zomwe zidabweretsa zovuta pakufikira deb.debian.org kwa ogwiritsa ntchito omwe sanayike zosintha munthawi yake (kukonza kwa gnutls28-3.5.8-5+deb9u6 kunaperekedwa pa Seputembara 17). Monga workaround, Ndi bwino kuchotsa DST_Root_CA_X3.crt ku /etc/ca-certificates.conf wapamwamba.
  • Kugwira ntchito kwa acme-client mu zida zogawa zopangira ma firewall a OPNsense kunasokonekera; vuto lidanenedwa pasadakhale, koma omangawo sanathe kutulutsa chigamba mu nthawi.
  • Vutoli lidakhudza phukusi la OpenSSL 1.0.2k mu RHEL/CentOS 7, koma sabata yapitayo kusinthidwa kwa ma ca-certificates-7-7.el2021.2.50_72.noarch phukusi linapangidwira RHEL 7 ndi CentOS 9, komwe IdenTrust satifiketi idachotsedwa, i.e. chiwonetsero cha vutocho chinatsekedwa pasadakhale. Zosintha zofananira zidasindikizidwa sabata yatha ya Ubuntu 16.04, Ubuntu 14.04, Ubuntu 21.04, Ubuntu 20.04 ndi Ubuntu 18.04. Popeza zosinthazo zidatulutsidwa pasadakhale, vuto loyang'ana satifiketi ya Let's Encrypt lidakhudza okhawo omwe amagwiritsa ntchito nthambi zakale za RHEL/CentOS ndi Ubuntu omwe samayika zosintha pafupipafupi.
  • Njira yotsimikizira satifiketi mu grpc yasweka.
  • Kumanga kwa nsanja ya Cloudflare Pages kwalephera.
  • Nkhani mu Amazon Web Services (AWS).
  • Ogwiritsa ntchito a DigitalOcean ali ndi vuto lolumikizana ndi database.
  • Pulatifomu yamtambo ya Netlify yagwa.
  • Mavuto opeza chithandizo cha Xero.
  • Kuyesa kukhazikitsa kulumikizana kwa TLS ku Web API ya ntchito ya MailGun kwalephera.
  • Zowonongeka mumitundu ya macOS ndi iOS (11, 13, 14), zomwe mwalingaliro siziyenera kukhudzidwa ndi vutoli.
  • Ntchito za Catchpoint zalephera.
  • Kulakwitsa kutsimikizira ziphaso mukalowa ku PostMan API.
  • Guardian Firewall yagwa.
  • Tsamba lothandizira monday.com lasweka.
  • Cerb nsanja yagwa.
  • Kuwunika kwanthawi yayitali kwalephera mu Google Cloud Monitoring.
  • Nkhani ndi chitsimikiziro cha satifiketi mu Cisco Umbrella Secure Web Gateway.
  • Mavuto olumikizana ndi ma proxies a Bluecoat ndi Palo Alto.
  • OVHcloud ikukumana ndi zovuta kulumikiza ku OpenStack API.
  • Mavuto ndi kupanga malipoti mu Shopify.
  • Pali zovuta kupeza Heroku API.
  • Ledger Live Manager yawonongeka.
  • Vuto lotsimikizira satifiketi mu Facebook App Developer Tools.
  • Mavuto mu Sophos SG UTM.
  • Mavuto ndi chitsimikiziro cha satifiketi mu cPanel.

Source: opennet.ru

Kuwonjezera ndemanga