ProHoster > I-blog > izindaba ze-inthanethi > nginx 1.26.3 kanye nezibuyekezo ezingu-1.27.4 zokulungisa ukuba sengozini kwe-TLS

nginx 1.26.3 kanye nezibuyekezo ezingu-1.27.4 zokulungisa ukuba sengozini kwe-TLS

Igatsha eliyinhloko le-nginx 1.27.4 likhishiwe, phakathi kwazo izici ezintsha ezithuthukiswayo, kanye negatsha elizinzile elihambisanayo le-nginx 1.26.3, eliqukethe kuphela izinguquko ezihlobene nokuqedwa kwamaphutha amakhulu kanye nokuba sengozini. Izibuyekezo zilungisa ukuba sengozini (CVE-2025-23419) okuvumela ukudlula ukuqinisekiswa kwezitifiketi ze-TLS zeklayenti.

Ubuthakathaka bubangelwa ukuntuleka kokuqinisekiswa okufanele lapho kuphathwa ama-virtual host aboshwe ekhelini elilodwa le-IP kanye nenombolo yephothi, futhi akhethwe ngesikhathi sokufinyelela kwe-HTTPS ngokusekelwe egameni lesizinda elichazwe kusetshenziswa isandiso se-SNI TLS. Kulezo zilungiselelo, umhlaseli angasebenzisa kabusha iseshini ye-TLS kumongo we-virtual host ehlukile ukuze adlule ukuqinisekiswa esebenzisa isitifiketi se-TLS seklayenti. Inkinga ibonakala ekulungiselelweni okusekela ukuqaliswa kabusha kweseshini ye-TLS kusetshenziswa "ithikithi leseshini le-TLS" noma okusebenzisa i-TLS session cache kuzilungiselelo. iseva ngokuzenzakalelayo, okusebenzisa ubuqiniso ngezitifiketi ze-TLS zeklayenti. Ubuthakathaka bukhona kusukela ekukhishweni kwe-nginx 1.11.4 lapho kwakhiwe nge-OpenSSL futhi kuvumela iphrothokholi ye-TLSv1.3.

Izinguquko ezihlobene nokungavikeleki:

  • Amakhono angeziwe okunciphisa ukusetshenziswa kwensiza kanye nomthwalo we-CPU uma usebenzisa i-TLS ekucushweni ngenani elikhulu lamabhulokhi eseva nendawo. Izinguquko ezengeziwe zivumela, esikhundleni sokudala umongo ohlukile we-SSL (SSL_CTX ku-OpenSSL) kubhulokhi ngayinye yokumisa, ukusebenzisa umongo okhona we-SSL ovela kubhulokhi yomzali.
  • Kulungiswe izinkinga ngokulayisha amafayela okucushwa isikhathi eside ngenxa yokuhluzwa okuphindaphindiwe kwesethi efanayo Izitifiketi ze-TLS, okhiye, kanye nohlu lweziphathimandla zesitifiketi. Ukulayisha kabusha kokucushwa kusheshiswe ngokusebenzisa kabusha izinto ze-TLS ezingashintshiwe, njengezitifiketi, okhiye, kanye nama-CRL. Isiqondiso "ssl_object_cache_inheritable" sengezwe ukuze kukhutshazwe ifa lezinto ngesikhathi sokubuyekezwa kokucushwa.
  • Kwengezwe inqolobane yezitifiketi nokhiye abalayishwe kusetshenziswa okuguquguqukayo kuziqondiso (isb. "ssl_certificate /etc/ssl/$ssl_server_name.crt"). Iziqondiso "ssl_certificate_cache", "proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache" kanye "uwsgi_ssl_certificate_cache" zengeziwe ukuze kulawuleke inqolobane. Iziqondiso ezishiwo zikuvumela ukuthi ulungiselele ubukhulu besayizi yenqolobane, isikhathi sokufaneleka samarekhodi, kanye nesikhathi sokuhlanza amarekhodi angasetshenzisiwe. Isibonelo: "ssl_certificate_cache max=1000 inactive=20s valid=1m;".
  • Kwengezwe umyalelo othi "keepalive_min_timeout", ochaza isikhathi sokuvala lapho i-nginx ingeke ivale ukuxhumana nokugcina uphila neklayenti.
  • Inkinga ngokubonakala kwemilayezo yelogi "isihlungi se-gzip sihlulekile ukusebenzisa imemori eyabelwe ngaphambili" uma ukwakha ngomtapo wezincwadi we-zlib-ng sekuxazululiwe.
  • Kulungiswe inkinga ngokwakha umtapo wezincwadi we-libatomic lapho usebenzisa inketho yokwakha "--with-libatomic=DIR"
  • Kulungiswe isiphazamisi esikwenze kwaba nzima ukusungula uxhumano ngephrothokholi ye-QUIC uma usebenzisa i-0-RTT.
  • Iqinisekise ukuthi izicelo zezingxoxo zenguqulo ye-QUIC ezivela kumakhasimende azinakwa.
  • Izinkinga ezixazululiwe ngokwakhiwa ku-Solaris 10 ngemojula ye-ngx_http_v3_module.
  • Iziphazamisi ekusetshenzisweni kwe-HTTP/3 zilungisiwe.

Source: opennet.ru

Thenga ukusingathwa okuthembekile kwamasayithi anokuvikelwa kwe-DDoS, amaseva e-VPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekile ngokuvikelwa kwe-DDoS, amaseva e-VPS VDS | ProHoster