Masibethele, ugunyaziwe wesatifikethi esingenzi nzuzo olawulwa luluntu kwaye unikezela ngezatifikethi simahla kuye wonke umntu, ubhengeze ukurhoxiswa kwangoko kwezatifikethi ezimalunga nezigidi ezibini ze-TLS, ezimalunga ne-1% yazo zonke izatifikethi ezisebenzayo zesi siqinisekiso. Ukurhoxiswa kwezatifikethi kwaqaliswa ngenxa yokuchongwa kokungathotyelwa kweemfuno ezibaluliweyo kwikhowudi esetyenziswa kwi-Let Encrypted ngokuphunyezwa kolwandiso lwe-TLS-ALPN-01 (RFC 7301, i-Application-Layer Protocol Negotiation). Ukungangqinelani kwakungenxa yokungabikho kwezinye iitshekhi ezenziwe ngexesha lenkqubo yothethathethwano loqhagamshelo olusekwe kulwandiso lwe-ALPN TLS olusetyenziswa kwi-HTTP/2. Iinkcukacha ezithe vetshe ngesi siganeko ziya kupapashwa emva kokurhoxiswa kwezatifikethi eziyingxaki.
NgoJanuwari 26 ngo-03:48 (MSK) ingxaki yalungiswa, kodwa zonke izatifikethi ezazikhutshwe kusetyenziswa indlela ye-TLS-ALPN-01 yokuqinisekiswa kwagqitywa ekubeni zingabi nakusebenza. Ukurhoxiswa kwezatifikethi kuya kuqala ngoJanuwari 28 ngo-19:00 (MSK). De kube leli xesha, abasebenzisi abasebenzisa indlela yokungqinisisa ye-TLS-ALPN-01 bayacetyiswa ukuba bahlaziye izatifikethi zabo, kungenjalo ziya kwenziwa zingasebenzi kwangethuba.
Izaziso malunga nesidingo sokuhlaziya izatifikethi zithunyelwe nge-imeyile. Abasebenzisi abasebenzisa iCertbot kunye nezixhobo eziphelelwe ngamanzi emzimbeni ukufumana izatifikethi ezinezicwangciso ezimiselweyo abachaphazeleki yile ngxaki. Indlela ye-TLS-ALPN-01 ixhaswa kwiiphakheji zeCaddy, Traefik, Apache mod_md, kunye ne-autocert. Ungaqinisekisa ubunyani bezatifikethi zakho ngokukhangela ii-identifiers, iinombolo ze-serial, okanye iidomeyini kuluhlu lwezatifikethi ezinengxaki.
Ekubeni utshintsho luchaphazela ukuziphatha xa kuhlolwa usebenzisa indlela ye-TLS-ALPN-01, ukuhlaziya umxhasi we-ACME okanye ukutshintsha izicwangciso (Caddy, bitnami / bn-cert, autocert, apache mod_md, Traefik) kunokufuneka ukuba uqhubeke nokusebenza. Utshintsho lubandakanya ukusetyenziswa kweenguqulelo zeTLS ezingekho ngaphantsi kwe-1.2 (abaxumi abasayi kuphinda basebenzise i-TLS 1.1) kunye nokuchithwa kwe-OID 1.3.6.1.5.5.7.1.30.1, echonga ulwandiso lwe-acmeIdentifier ephelelwe lixesha, exhaswa kuphela ngaphambili. uyilo lwenkcazo ye-RFC 8737 (xa uvelisa isatifikethi, ngoku Kuphela i-OID 1.3.6.1.5.5.7.1.31 ivumelekile, kwaye abathengi abasebenzisa i-OID 1.3.6.1.5.5.7.1.30.1 abayi kukwazi ukufumana isatifikethi).
umthombo: opennet.ru
