Pa Meyi 30, nthawi yovomerezeka ya zaka 20 ya satifiketi ya mizu idatha , zomwe kuti apange ziphaso zosainidwa ndi amodzi mwa akuluakulu a certification a Sectigo (Comodo). Kusaina kwapakati kumalola kuti zigwirizane ndi zida zakale zomwe zinalibe USERTRust satifiketi ya mizu yatsopano yowonjezedwa ku malo awo ogulitsira.
Mwachidziwitso, kuthetsedwa kwa chiphaso cha mizu ya AddTrust kuyenera kungoyambitsa kuphwanya kugwirizana ndi machitidwe amtundu (Android 2.3, Windows XP, Mac OS X 10.11, iOS 9, etc.), popeza chiphaso chachiwiri chomwe chimagwiritsidwa ntchito pa siginecha chitsalira. osatsegula ovomerezeka ndi amakono amaziganizira poyang'ana mndandanda wa trust. Pochita Mavuto ndi kutsimikizira kwamakasitomala osatsegula a TLS, kuphatikiza omwe amachokera pa OpenSSL 1.0.x ndi GnuTLS. Kulumikizana kotetezeka sikunakhazikitsidwenso ndi cholakwika chosonyeza kuti satifiketiyo yatha ngati seva ikugwiritsa ntchito satifiketi ya Sectigo yolumikizidwa ndi unyolo wodalirika ku satifiketi ya mizu ya AddTrust.
Ngati ogwiritsa ntchito asakatuli amakono sanazindikire kutha kwa satifiketi ya mizu ya AddTrust pokonza ziphaso za Sectigo zosainidwa, ndiye kuti mavuto adayamba kuwonekera m'mapulogalamu osiyanasiyana a chipani chachitatu ndi othandizira mbali ya seva, zomwe zidapangitsa zida zambiri zomwe zimagwiritsa ntchito njira zolumikizirana zobisika kuti zigwirizane pakati pa zigawo.
Mwachitsanzo, panali ndi mwayi wopeza nkhokwe za phukusi mu Debian ndi Ubuntu (apt adayamba kupanga cholakwika chotsimikizira satifiketi), zopempha kuchokera pamakalata ogwiritsira ntchito "curl" ndi "wget" zidayamba kulephera, zolakwika zidawonedwa pogwiritsa ntchito Git, Roku akukhamukira nsanja ikugwira ntchito, othandizira sakutchedwanso ΠΈ , anayamba mu mapulogalamu a Heroku, Makasitomala a OpenLDAP amalumikizana, mavuto pakutumiza makalata ku SMTPS ndi maseva a SMTP okhala ndi STARTTLS azindikirika. Kuphatikiza apo, mavuto amawonedwa m'malemba osiyanasiyana a Ruby, PHP ndi Python omwe amagwiritsa ntchito gawo ndi kasitomala wa http. Vuto la msakatuli Epiphany, yomwe idasiya kutsitsa mindandanda yoletsa zotsatsa.
Mapulogalamu a Go sakhudzidwa ndi vutoli chifukwa Go amapereka TLS.
kuti vutoli limakhudza zofalitsa zakale (kuphatikiza Debian 9, Ubuntu 16.04, ) omwe amagwiritsa ntchito nthambi za OpenSSL zovuta, koma vuto komanso pamene woyang'anira phukusi la APT akutulutsa Debian 10 ndi Ubuntu 18.04/20.04, popeza APT imagwiritsa ntchito laibulale ya GnuTLS. Chomwe chikuyambitsa vutoli ndichakuti malaibulale ambiri a TLS/SSL amagawa satifiketi ngati mzere wozungulira, pomwe malinga ndi RFC 4158, satifiketi imatha kuyimira chithunzi chozungulira chozungulira chokhala ndi nangula angapo odalirika omwe amafunika kuganiziridwa. Za cholakwika ichi mu OpenSSL ndi GnuTLS . Mu OpenSSL vuto lidakhazikitsidwa munthambi 1.1.1, ndi in zotsalira .
Monga njira yogwirira ntchito, tikulimbikitsidwa kuchotsa satifiketi ya "AddTrust External CA Root" m'sitolo yamakina (mwachitsanzo, chotsani ku /etc/ca-certificates.conf ndi /etc/ssl/certs, ndiyeno yendetsani "update-ca -certificates -f -v"), pambuyo pake OpenSSL imayamba kukonza ziphaso zosainidwa ndikutenga nawo gawo. Mukamagwiritsa ntchito woyang'anira phukusi la APT, mutha kuletsa chitsimikiziro cha satifiketi pazopempha zanu payekhapayekha (mwachitsanzo, "apt-get update -o Acquire::https::download.jitsi.org::Verify-Peer=false") .
Kuletsa vuto mu ΠΈ Akufuna kuwonjezera satifiketi ya AddTrust pamndandanda wakuda:
trust dump βfilter Β«pkcs11:id=%AD%BD%98%7A%34%B4%26%F7%FA%C4%26%54%EF%03%BD%E0%24%CB%54%1A;type=certΒ» \
> /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit
update-ca-trust kuchotsa
Koma njira iyi kwa GnuTLS (mwachitsanzo, cholakwika chotsimikizira satifiketi chikupitilira kuwoneka mukamagwiritsa ntchito wget).
Pa mbali ya seva mukhoza kulembetsa satifiketi mu chain trust yotumizidwa ndi seva kwa kasitomala (ngati satifiketi yolumikizidwa ndi "AddTrust External CA Root" yachotsedwa pamndandanda, ndiye kuti kutsimikizira kwa kasitomala kudzakhala kopambana). Kuti muwone ndikupanga mndandanda watsopano wodalirika, mutha kugwiritsa ntchito ntchitoyi . Sectigo komanso satifiketi yapakatikati yosainidwa ndi "", yomwe ikhala yovomerezeka mpaka 2028 ndipo ikhala yogwirizana ndi mitundu yakale ya OS.
Zowonjezera: Vuto nalonso mu LibreSSL.
Source: opennet.ru