Hoos u dhigista shahaadada xididka IdenTrust (DST Root CA X3), oo loo adeegsaday in laga gudbo Aan Encrypt CA shahaado xididka, ayaa dhibaato ku keentay Aan Encrypt shahaado xaqiijinta ee mashaariicda la isticmaalayo noocyo hore ee OpenSSL iyo GnuTLS. Dhibaatooyinku waxay sidoo kale saameeyeen maktabadda LibreSSL, kuwaas oo aan ku xisaabtamin waayo-aragnimadii hore ee la xidhiidha guul-darrooyinka ka dib markii shahaadada xididka Sectigo (Comodo) CA ee AddTrust ay noqotey mid duug ah.
Aynu dib u xasuusanno in OpenSSL ay sii daysay ilaa laanta 1.0.2 la wada dhan yahay iyo GnuTLS ka hor inta aan la sii dayn 3.6.14, waxaa jiray cilad aan ogolayn in shahaadooyinka la saxeexay si sax ah loo farsameeyo haddii mid ka mid ah shahaadooyinka xididka loo isticmaalo saxeexa uu noqdo mid duugoobay , xitaa haddii kuwa kale oo ansax ah ayaa la ilaaliyay silsilado aaminaad ah (marka laga hadlayo Aynu Encryption, gabowga ee shahaadada xididka IdenTrust waxay ka hortagtaa xaqiijinta, xitaa haddii nidaamku taageero u leeyahay Aan Encrypt's shahaado xidid u gaar ah, ansax ah ilaa 2030). Dulucda cayayaanka ayaa ah in noocyadii hore ee OpenSSL iyo GnuTLS ay u tureen shahaadada sidii silsilad toosan, halka marka loo eego RFC 4158, shahaadodu ay matali karto garaaf wareeg ah oo la qaybiyay oo leh barroosinno badan oo aamin ah oo u baahan in xisaabta lagu daro.
Si loo xalliyo fashilka, waxaa la soo jeediyay in la tirtiro shahaadada "DST Root CA X3" ee kaydinta nidaamka (/etc/ca-certificates.conf iyo /etc/ssl/certs), ka dibna la socodsii amarka "cusbooneysii". -ca-certificates -f -vβ). On CentOS iyo RHEL, waxaad ku dari kartaa shahaadada "DST Root CA X3" liiska madow: trust dump β filter "pkcs11: id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1% 4b%90 %75%ff%c4%15%60%85%89%10" | furto x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem sudo update-ca-trust soosaar
Qaar ka mid ah shilalka aan aragnay oo dhacay ka dib markii ay dhacday shahaadada xididka IdenTrust:
- Gudaha OpenBSD, utility syspatch, ee loo isticmaalo in lagu rakibo cusboonaysiinta nidaamka binary, ayaa joojisay shaqada. Mashruuca OpenBSD ayaa maanta si degdeg ah u soo saaray balastarrada laamaha 6.8 iyo 6.9 ee hagaajiya mashaakilaadka LibreSSL ee hubinta shahaadooyinka saxeexan, mid ka mid ah shahaadooyinka xididka silsiladda kalsoonida oo dhacay. Sida xalinta dhibaatada, waxaa lagu talinayaa in laga beddelo HTTPS oo loo beddelo HTTP gudaha /etc/installurl (tani ma khatar gelinayso amniga, maadaama cusboonaysiinta sidoo kale lagu xaqiijiyay saxeex dijital ah) ama dooro muraayad kale (ftp.usa.openbsd. org, ftp.hostserver.de, cdn.openbsd.org). Waxa kale oo aad ka saari kartaa shahaadadii xididka DST ee Root CA X3 ee dhacday faylka /etc/ssl/cert.pem.
- DragonFly BSD, dhibaatooyin la mid ah ayaa lagu arkay marka lala shaqeynayo DPors. Markaad bilaabayso maareeyaha xirmada pkg, waxaa soo baxaya cilad xaqiijinta shahaado. Hagaajinta waxaa lagu daray maanta sayidkii, DragonFly_RELEASE_6_0 iyo DragonFly_RELEASE_5_8 laamood. Hareer ahaan, waxaad ka saari kartaa shahaadada DST Root CA X3
- Habka hubinta Aynu sirno shahaadooyinka codsiyada ku salaysan aaladda Electron waa jabay. Dhibaatada waxaa lagu hagaajiyay cusboonaysiinta 12.2.1, 13.5.1, 14.1.0, 15.1.0.
- Qaybinta qaar ayaa dhibaato ka haysata helitaanka baakadaha kaydka marka la isticmaalayo maamulaha xidhmada APT ee la xidhiidha nuucyadii hore ee maktabadda GnuTLS. Debian 9 waxaa saameeyay dhibaatadu, taas oo adeegsatay xirmo GnuTLS ah oo aan la daboolin, taas oo keentay dhibaatooyin markii la gelayay deb.debian.org isticmaalayaasha aan ku rakibin cusbooneysiinta wakhtiga (gnutls28-3.5.8-5+deb9u6 hagaajinta ayaa la bixiyay September 17). Xakameyn ahaan, waxaa lagu talinayaa in laga saaro DST_Root_CA_X3.crt faylka /etc/ca-certificates.conf.
- Hawlgalkii acme-macmiil ee xirmada qaybinta ee abuurista dab-damisyada OPNsense waa la carqaladeeyey; dhibaatada horay ayaa loo soo sheegay, laakiin horumariyayaashu ma aysan maamulin inay sii daayaan balastar waqtigii loogu talagalay.
- Dhibaatadu waxay saamaysay xirmada OpenSSL 1.0.2k ee RHEL/CentOS 7, laakiin usbuuc ka hor waxaa cusbooneysiiyey xirmada ca-certificates-7-7.el2021.2.50_72.noarch oo loogu talagalay RHEL 7 iyo CentOS 9, kaas oo ka yimid IdenTrust shahaadada waa laga saaray, i.e. muujinta dhibaatada ayaa la hor istaagay. Cusbooneysi la mid ah ayaa usbuuc ka hor loo daabacay Ubuntu 16.04, Ubuntu 14.04, Ubuntu 21.04, Ubuntu 20.04 iyo Ubuntu 18.04. Maadaama cusboonaysiinta horay loo sii daayay, dhibaatada hubinta Aynu Encrypt shahaado kaliya saameeyay isticmaalayaasha laamaha hore ee RHEL/CentOS iyo Ubuntu kuwaas oo aan si joogto ah u rakibin cusbooneysiinta.
- Habka xaqiijinta shahaadada ee grpc waa jabay.
- Dhismaha Bogagga Cloudflare wuu fashilmay
- Arrimaha Adeegyada Shabakadda Amazon (AWS).
- Isticmaalayaasha DigitalOcean waxay dhibaato kala kulmaan ku xidhidhiyaha xogta.
- Meesha Netlify Cloud ayaa burburtay.
- Dhibaatooyinka gelitaanka adeegyada Xero.
- Isku day lagu doonayay in lagu dhiso xidhiidhka TLS ee API Web ee adeegga MailGun waa guul-darraystay.
- Shilalka noocyada macOS iyo iOS (11, 13, 14), kuwaas oo aragti ahaan ay ahayd in aanay dhibaatadu saamayn.
- Adeegyada Catchpoint waa fashilmay
- Khalad xaqiijinta shahaadooyinka marka la gelayo PostMan API.
- Ilaaliyaha Firewall ayaa burburay
- Bogga taageerada monday.com waa jabay.
- Meesha Cerb ayaa burburtay.
- Hubinta wakhtiga wakhtigu ku guul daraystay Kormeerka Google Cloud
- Soo saarida xaqiijinta shahaado ee dalladda Cisco Secure Web Gateway.
- Dhibaatooyinka ku xidhidhiyaha Bluecoat iyo Palo Alto.
- OVHcloud waxa ka haysata dhibaatooyin ku xidhidhiyaha OpenStack API.
- Dhibaatooyinka soo saarista warbixinada Shopify
- Waxaa jira dhibaatooyin gelitaanka Heroku API.
- Ledger Live Manager ayaa burburay.
- Cilada xaqiijinta shahaado ee aaladaha horumariyaha App-ka Facebook.
- Dhibaatooyinka Sophos SG UTM.
- Dhibaatooyinka xaqiijinta shahaado ee cPanel.
Source: opennet.ru