Ukuhoxiswa kwesitifiketi sempande ye-IdenTrust (i-DST Root CA X3), esisetshenziselwa ukusayina isitifiketi sempande ye-Let's Encrypt CA, kubangele izinkinga ngokuqinisekiswa kwesitifiketi se-Let's Bethela kumaphrojekthi kusetshenziswa izinguqulo ezindala ze-OpenSSL ne-GnuTLS. Izinkinga ziphinde zathinta umtapo wezincwadi we-LibreSSL, onjiniyela bayo abangazange bacabangele ulwazi lwangaphambilini oluhlobene nokwehluleka okuvele ngemva kokuthi isitifiketi sempande se-Sectigo (Comodo) CA's AddTrust siphelelwe yisikhathi.
Masikhumbule ukuthi ekukhishweni kwe-OpenSSL kufika egatsheni elingu-1.0.2 elihlanganisiwe futhi ku-GnuTLS ngaphambi kokukhishwa 3.6.14, kube nesiphazamisi esasingavumeli izitifiketi ezisayinwe ngokuphambene ukuthi zicutshungulwe ngendlela efanele uma esinye sezitifiketi zempande esisetshenziselwa ukusayinda siphelelwa isikhathi. , ngisho noma amanye avumelekile aye agcinwa amaketango okuthembana (esimweni esithi Masibhale Ngemfihlo, ukuphelelwa yisikhathi kwesitifiketi sempande ye-IdenTrust kuvimbela ukuqinisekiswa, ngisho noma isistimu inokusekelwa kwesitifiketi sempande ye-Let's Encrypt, esisebenza kuze kube ngu-2030). Umongo wesiphazamisi ukuthi izinguqulo ezindala ze-OpenSSL ne-GnuTLS zihlukanise isitifiketi njengochungechunge lomugqa, kuyilapho ngokusho kwe-RFC 4158, isitifiketi singamela igrafu eyindilinga esabalalisiwe enamahange amaningi okuthembana okudingeka acatshangelwe.
Njengendlela yokuxazulula ukwehluleka, kuhlongozwa ukuba kususwe isitifiketi se-“DST Root CA X3” kusitoreji sesistimu (/etc/ca-certificates.conf kanye /etc/ssl/certs), bese uqalisa umyalo othi “buyekeza -ca-izitifiketi -f -v” "). Ku-CentOS ne-RHEL, ungakwazi ukwengeza isitifiketi se-“DST Root CA X3” ohlwini lwabavinjelwe: ukulahlwa kwethemba—isihlungi “pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1% 4b%90 %75%ff%c4%15%60%85%89%10" | vula x509 | I-sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem sudo update-ca-trust extract
Okunye ukuphahlazeka esikubonile okwenzeke ngemuva kokuphelelwa yisikhathi kwesitifiketi sempande ye-IdenTrust:
- Ku-OpenBSD, insiza ye-syspatch, esetshenziselwa ukufaka izibuyekezo zesistimu kanambambili, iyekile ukusebenza. Iphrojekthi ye-OpenBSD namuhla ikhiphe iziqephu ngokuphuthumayo zamagatsha 6.8 kanye no-6.9 alungisa izinkinga ku-LibreSSL ngokubheka izitifiketi ezisayiniwe, esinye sezitifiketi zempande kuchungechunge lokuthembana esiphelelwe yisikhathi. Njengendlela yokuxazulula inkinga, kunconywa ukuthi ushintshe usuka ku-HTTPS uye ku-HTTP ku-/etc/installurl (lokhu akusongeli ukuphepha, njengoba izibuyekezo ziqinisekiswa futhi ngesiginesha yedijithali) noma ukhethe esinye isibuko (ftp.usa.openbsd. org, ftp.hostserver.de, cdn.openbsd.org). Ungakwazi futhi ukususa isitifiketi sempande se-DST Root CA X3 esiphelelwe yisikhathi kufayela /etc/ssl/cert.pem.
- Ku-DragonFly BSD, izinkinga ezifanayo ziyabonwa lapho usebenza nama-DPorts. Uma uqala umphathi wephakheji ye-pkg, kuvela iphutha lokuqinisekisa isitifiketi. Ukulungiswa kwengezwe namuhla egatsheni eliyinhloko, DragonFly_RELEASE_6_0 kanye ne-DragonFly_RELEASE_5_8. Njengendlela yokusebenza, ungasusa isitifiketi se-DST Root CA X3.
- Inqubo yokuqinisekisa izitifiketi zokuthi Masibethele ezinhlelweni zokusebenza ezisuselwe kungxenyekazi ye-Electron iphukile. Inkinga yalungiswa kuzibuyekezo 12.2.1, 13.5.1, 14.1.0, 15.1.0.
- Okunye ukusatshalaliswa kunenkinga yokufinyelela amaqoqo ephakheji lapho kusetshenziswa umphathi wephakheji ye-APT ehlotshaniswa nezinguqulo ezindala zelabhulali ye-GnuTLS. I-Debian 9 ithintwa inkinga, esebenzise iphakethe le-GnuTLS elinganyathelisiwe, eliholele ezinkingeni lapho ufinyelela i-deb.debian.org kubasebenzisi abangasifakanga isibuyekezo ngesikhathi (ukulungiswa kwe-gnutls28-3.5.8-5+deb9u6 kwahlinzekwa ngoSepthemba 17). Njengendlela yokusebenza, kuyanconywa ukususa i-DST_Root_CA_X3.crt kufayela elithi /etc/ca-certificates.conf.
- Ukusebenza kwe-acme-client kukhithi yokusabalalisa yokudala izindonga zomlilo ze-OPNsense kuphazamisekile; inkinga ibikwe kusenesikhathi, kodwa onjiniyela abakwazanga ukukhipha isichibi ngesikhathi.
- Inkinga ithinte iphakheji ye-OpenSSL 1.0.2k ku-RHEL/CentOS 7, kodwa evikini eledlule isibuyekezo se-ca-certificates-7-7.el2021.2.50_72.noarch iphakheji yakhiqizelwa i-RHEL 7 ne-CentOS 9, okuvela kuyo i-IdenTrust. isitifiketi sasuswa, i.e. ukubonakaliswa kwenkinga kuvinjwe kusengaphambili. Isibuyekezo esifanayo sishicilelwe ngesonto eledlule ku-Ubuntu 16.04, Ubuntu 14.04, Ubuntu 21.04, Ubuntu 20.04 kanye no-Ubuntu 18.04. Njengoba izibuyekezo zikhishwe kusengaphambili, inkinga yokuhlola izitifiketi ze-Let's Encrypt ithinte kuphela abasebenzisi bamagatsha amadala e-RHEL/CentOS kanye no-Ubuntu abangazifaki njalo izibuyekezo.
- Inqubo yokuqinisekisa isitifiketi ku-grpc iphukile.
- Ukwakhiwa kwenkundla yamakhasi e-Cloudflare kuhlulekile.
- Izinkinga ku-Amazon Web Services (AWS).
- Abasebenzisi be-DigitalOcean banezinkinga zokuxhuma kusizindalwazi.
- Inkundla ye-Netlify cloud iphahlazekile.
- Izinkinga zokufinyelela izinsiza ze-Xero.
- Umzamo wokusungula uxhumano lwe-TLS ku-Web API yesevisi ye-MailGun yehlulekile.
- Ukuphahlazeka ezinguqulweni ze-macOS ne-iOS (11, 13, 14), obekungafanele ukuthi ithintwa inkinga.
- Amasevisi we-Catchpoint ahlulekile.
- Iphutha lokuqinisekisa izitifiketi lapho ufinyelela i-PostMan API.
- I-Guardian Firewall iphahlazekile.
- Ikhasi lokusekela le-monday.com liphukile.
- Inkundla yeCerb iphahlazekile.
- Ukuhlola isikhathi kwehlulekile ekugadweni kwamafu e-Google.
- Inkinga ngokuqinisekiswa kwesitifiketi ku-Cisco Umbrella Secure Web Gateway.
- Izinkinga zokuxhuma kuma-proxies we-Bluecoat ne-Palo Alto.
- I-OVHcloud inenkinga yokuxhuma ku-OpenStack API.
- Izinkinga ngokukhiqiza imibiko ku-Shopify.
- Kunezinkinga zokufinyelela i-Heroku API.
- I-Ledger Live Manager iyaphahlazeka.
- Iphutha lokuqinisekisa isitifiketi ku-Facebook App Developer Tools.
- Izinkinga ku-Sophos SG UTM.
- Izinkinga ngokuqinisekiswa kwesitifiketi ku-cPanel.
Source: opennet.ru