Sizwa inkulumo ethi “ukuphepha kwezwe” ngaso sonke isikhathi, kodwa lapho uhulumeni eqala ukuqapha ezokuxhumana kwethu, eziqopha ngaphandle kokusola okukholakalayo, isisekelo somthetho futhi ngaphandle kwanoma iyiphi injongo esobala, kufanele sizibuze umbuzo: ingabe ngempela zivikela ukuphepha kwezwe noma bavikela ezabo?
- Edward Snowden
Le nhlabamkhosi ihloselwe ukukhulisa intshisekelo yoMphakathi odabeni lobumfihlo, okuthi, uma kubhekwa ibaluleka kakhulu kunangaphambili.
Ku-ajenda:
Abashisekayo abavela emphakathini womhlinzeki we-inthanethi ohlukaniselwe "Medium" badala injini yabo yokusesha
I-Medium isungule igunya elisha lokunikeza izitifiketi, i-Medium Global Root CA. Obani abayothintwa izinguquko?
Izitifiketi zokuphepha zawo wonke amakhaya - ungayenza kanjani isevisi yakho kunethiwekhi ye-Yggdrasil futhi uyikhiphele isitifiketi esivumelekile se-SSL
Ngikhumbuze - yini i-“Medium”?
Medium (eng. Medium - "umlamuli", isiqubulo sokuqala - Ungabuzi ubumfihlo bakho. Yibuyisele; futhi ngesiNgisi igama naphakathi lisho “okumaphakathi”) - umhlinzeki we-inthanethi ohlukaniswe waseRussia ohlinzeka ngezinsizakalo zokufinyelela kunethiwekhi Mahhala.
Igama eligcwele: Umhlinzeki Wesevisi Ye-inthanethi Omaphakathi. Ekuqaleni iphrojekthi yacatshangelwa njenge в .
Yakheka ngo-April 2019 njengengxenye yokwakhiwa kwendawo yezokuxhumana ezimele ngokunikeza abasebenzisi bokugcina ukufinyelela kuzinsiza zenethiwekhi ye-Yggdrasil ngokusebenzisa ubuchwepheshe bokudluliswa kwedatha okungenantambo kwe-Wi-Fi.
Ulwazi olwengeziwe ngesihloko:
Abashisekayo abavela emphakathini womhlinzeki we-inthanethi ohlukaniselwe "Medium" badala injini yabo yokusesha
Ekuqaleni ku-inthanethi , lapho umhlinzeki wesevisi ye-inthanethi ehlukaniselwe i-Medium ayisebenzisayo njengezokuthutha, wayengenayo iseva yayo ye-DNS noma ingqalasizinda yokhiye womphakathi - nokho, isidingo sokukhipha izitifiketi zokuphepha zezinsizakalo zenethiwekhi Ephakathi saxazulula lezi zinkinga ezimbili.
Kungani udinga i-PKI uma i-Yggdrasil ngaphandle kwebhokisi inikeza ikhono lokubethela ithrafikhi phakathi kontanga?Asikho isidingo sokusebenzisa i-HTTPS ukuze uxhume kumasevisi ewebhu kunethiwekhi ye-Yggdrasil uma uxhuma kuwo ngomzila wenethiwekhi ye-Yggdrasil esebenza endaweni.
Ngempela: Ukuthutha kwe-Yggdrasil kusezingeni ikuvumela ukuthi usebenzise ngokuphephile izinsiza ngaphakathi kwenethiwekhi ye-Yggdrasil - ikhono lokuqhuba kukhishwe ngokuphelele.
Isimo sishintsha kakhulu uma ufinyelela izinsiza ze-intranethi ze-Yggdarsil hhayi ngokuqondile, kodwa nge-node ephakathi nendawo - indawo yokufinyelela yenethiwekhi Emaphakathi, elawulwa u-opharetha wayo.
Kulesi simo, ubani ongafaka engozini idatha oyidluliselayo:
- U-opharetha wephoyinti lokufinyelela. Kusobala ukuthi u-opharetha wamanje wendawo yokufinyelela yenethiwekhi Emaphakathi angalalela ithrafikhi engabhaliwe edlula ezintweni zayo.
- isigebengu (). Okumaphakathi kunenkinga efana ne , kuphela ngokuphathelene namanodi okokufaka kanye namaphakathi.
Lokhu kubukeka kanjani
Isixazululo: ukuze ufinyelele izinsiza zewebhu ngaphakathi kwenethiwekhi ye-Yggdrasil, sebenzisa iphrothokholi ye-HTTPS (izinga lesi-7 ). Inkinga ukuthi akwenzeki ukukhipha isitifiketi sokuphepha sangempela samasevisi enethiwekhi ye-Yggdrasil ngezindlela ezivamile ezifana .
Ngakho-ke, sasungula isikhungo sethu sokunikeza izitifiketi - . Iningi lezinsizakalo kunethiwekhi Emaphakathi zisayinwe yisitifiketi sokuphepha esiyimpande yesiphathimandla sokunikeza izitifiketi esimaphakathi se-Medium Domain Validation Secure Server CA.
Amathuba okuphazamisa isitifiketi sempande yesiphathimandla sesitifiketi, yiqiniso, kucatshangelwe - kodwa lapha isitifiketi sidingeka kakhulu ukuze kuqinisekiswe ubuqotho bokudluliswa kwedatha nokuqeda amathuba okuhlaselwa kwe-MITM.
Amasevisi enethiwekhi amaphakathi avela ku-opharetha abahlukene anezitifiketi zokuphepha ezihlukene, ngandlela thize ezisayinwe yiziphathimandla zokunikeza izitifiketi. Kodwa-ke, opharetha be-Root CA abakwazi ukulalela ithrafikhi ebethelwe kusukela kumasevisi abasayine kuwo izitifiketi zokuphepha (bona ).
Labo abakhathazeke ngokukhethekile ngokuphepha kwabo bangasebenzisa izindlela ezinjalo njengesivikelo esengeziwe, njenge и .
Njengamanje, ingqalasizinda yokhiye womphakathi yenethiwekhi Emaphakathi inamandla okuhlola isimo sesitifiketi kusetshenziswa iphrothokholi noma ngokusebenzisa .
Thola iphuzu
Umsebenzisi waqala ukwakha injini yokusesha yezinsizakalo zewebhu ezitholakala kunethiwekhi ye-Yggdrasil. Isici esibalulekile iqiniso lokuthi ukunqunywa kwamakheli e-IPv6 wezinsizakalo lapho kuseshwa kwenziwa ngokuthumela isicelo kuseva ye-DNS etholakala ngaphakathi kwenethiwekhi Emaphakathi.
I-TLD eyinhloko .ygg. Amagama amaningi wesizinda anale TLD, ngaphandle kokubili: .isp и .gg.
Injini yokusesha ingaphansi kokuthuthukiswa, kodwa ukusetshenziswa kwayo kakade kungenzeka namuhla - vele uvakashele iwebhusayithi .
Ungasiza ukuthuthukiswa kwephrojekthi, .
I-Medium isungule igunya elisha lokunikeza izitifiketi, i-Medium Global Root CA. Obani abayothintwa izinguquko?
Izolo, ukuhlolwa komphakathi kokusebenza kwesikhungo sokunikeza izitifiketi se-Medium Root CA kuqediwe. Ekupheleni kokuhlolwa, amaphutha ekusebenzeni kwezinsiza ezibalulekile zengqalasizinda yomphakathi alungiswa futhi kwadalwa isitifiketi esisha sempande yesiphathimandla sokunikeza izitifiketi “Medium Global Root CA”.
Kwacatshangelwa wonke ama-nuances nezici ze-PKI - manje isitifiketi esisha se-CA "Medium Global Root CA" sizokhishwa eminyakeni eyishumi kuphela kamuva (ngemuva kosuku lwaso lokuphelelwa yisikhathi). Manje izitifiketi zokuphepha zikhishwa kuphela iziphathimandla zesitifiketi esimaphakathi - isibonelo, “I-Medium Domain Validation Secure Server CA”.
Lubukeka kanjani uchungechunge lokwethenjwa kwesitifiketi manje?
Yini okudingeka yenziwe ukuze yonke into isebenze uma ungumsebenzisi:
Njengoba ezinye izinsiza zisebenzisa i-HSTS, ngaphambi kokusebenzisa izinsiza zenethiwekhi Emaphakathi, kufanele ususe idatha kuzinsiza ze-intranet emaphakathi. Ungakwenza lokhu kuthebhu yomlando yesiphequluli sakho.
Kuyadingeka futhi isikhungo sezitifiketi "Medium Global Root CA".
Yini okudingeka yenziwe ukwenza yonke into isebenze uma ungu-opharetha wesistimu:
Udinga ukuphinda ukhiphe isitifiketi sesevisi yakho ekhasini (isevisi itholakala kuphela kunethiwekhi ye-Medium).
Izitifiketi zokuphepha zawo wonke amakhaya - ungayenza kanjani isevisi yakho kunethiwekhi ye-Yggdrasil futhi uyikhiphele isitifiketi esivumelekile se-SSL
Ngenxa yokwanda kwenani lezinsizakalo ze-intranet kunethiwekhi ye-Medium, isidingo sokukhipha izitifiketi ezintsha zokuphepha nokulungisa izinsiza zabo ukuze zisekele i-SSL sikhulile.
Njengoba i-Habr iwumthombo wezobuchwepheshe, ekugayeni okusha ngakunye enye yezinto ze-ajenda izoveza izici zobuchwepheshe zengqalasizinda yenethiwekhi Emaphakathi. Isibonelo, ngezansi kunemiyalo ebanzi yokukhipha isitifiketi se-SSL sesevisi yakho.
Izibonelo zizokhombisa igama lesizinda domain.ygg, okumele kuthathelwe indawo igama lesizinda senkonzo yakho.
Isinyathelo 1 Khiqiza ukhiye oyimfihlo namapharamitha we-Diffie-Hellman
openssl genrsa -out domain.ygg.key 2048Khona-ke:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048Isinyathelo 2 Dala isicelo sokusayina isitifiketi
openssl req -new -key domain.ygg.key -out domain.ygg.csr -config domain.ygg.confOkuqukethwe kwefayela domain.ygg.conf:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = RU
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Moscow Oblast
localityName = Locality Name (eg, city)
localityName_default = Kolomna
organizationName = Organization Name (eg, company)
organizationName_default = ACME, Inc.
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default = *.domain.ygg
[ v3_req ]
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
basicConstraints = CA:FALSE
nsCertType = server
authorityKeyIdentifier = keyid,issuer:always
crlDistributionPoints = URI:http://crl.medium.isp/Medium_Global_Root_CA.crl
authorityInfoAccess = OCSP;URI:http://ocsp.medium.isp
Isinyathelo 3 Thumela isicelo sesitifiketi
Ukuze wenze lokhu, kopisha okuqukethwe kwefayela domain.ygg.csr bese unamathisele enkambini yombhalo kusayithi .
Landela imiyalelo enikezwe kuwebhusayithi, bese uchofoza okuthi "Hambisa". Uma kuphumelele, umlayezo uzothunyelwa ekhelini le-imeyili olicacisile eliqukethe okunamathiselwe kwi-imeyili ngendlela yesitifiketi esisayinwe isiphathimandla sokunikeza izitifiketi esimaphakathi.
Isinyathelo 4 Setha iseva yakho yewebhu
Uma usebenzisa i-nginx njengeseva yakho yewebhu, sebenzisa ukumisa okulandelayo:
Файл domain.ygg.conf ohlwini lwemibhalo /etc/nginx/sites-available/
server {
listen [::]:80;
listen [::]:443 ssl;
root /var/www/domain.ygg;
index index.php index.html index.htm index.nginx-debian.html;
server_name domain.ygg;
include snippets/domain.ygg.conf;
include snippets/ssl-params.conf;
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* .(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /.ht {
deny all;
}
}
Файл ssl-params.conf ohlwini lwemibhalo / njll/nginx/amazwibela/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=15552000; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Файл domain.ygg.conf ohlwini lwemibhalo / njll/nginx/amazwibela/
ssl_certificate /etc/ssl/certs/domain.ygg.crt;
ssl_certificate_key /etc/ssl/private/domain.ygg.key;
Isitifiketi osithole nge-imeyili kufanele sikopishelwe ku-: /etc/ssl/certs/domain.ygg.crt. Ukhiye oyimfihlo (domain.ygg.key) ibeke ohlwini lwemibhalo /etc/ssl/private/.
Isinyathelo 5 Qala kabusha iseva yakho yewebhu
sudo service nginx restartI-inthanethi yamahhala e-Russia iqala ngawe
Unganikeza lonke usizo olungenzeka ekusungulweni kwe-inthanethi yamahhala eRussia namuhla. Sihlanganise uhlu olubanzi lokuthi ungasiza kanjani inethiwekhi:
- Tshela abangani bakho nosebenza nabo mayelana nenethiwekhi ye-Medium. Yabelana kulesi sihloko ezinkundleni zokuxhumana noma ibhulogi yomuntu siqu
- Bamba iqhaza engxoxweni yezinkinga zobuchwepheshe kunethiwekhi Ephakathi
- Dala isevisi yakho yewebhu kunethiwekhi ye-Yggdrasil futhi uyengeze kuyo
- Phakamisa eyakho kunethiwekhi ye-Medium
Ukukhishwa kwangaphambilini:
Funda futhi:
Siku-Telegram:
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo. , wamukelekile.
Okunye ukuvota: kubalulekile ngathi ukuthi sazi umbono walabo abangenayo i-akhawunti ephelele ngo-Habré
-
↑
-
↓
Bangu-7 abasebenzisi abavotile. Abasebenzisi abangu-2 bayenqaba.
Source: www.habr.com