Ngomhla zingama-30 kuNhlaba, isikhathi sokufaneleka seminyaka engu-20 sesitifiketi sempande siphelelwe yisikhathi , okuyinto ukukhiqiza izitifiketi ezisayinwe ngokuphambanayo zesinye seziphathimandla ezinkulu zokunikeza izitifiketi i-Sectigo (Comodo). Ukusayinda okuphambene kuvumeleke ukusebenzisana namadivayisi adala angenaso isitifiketi sempande se-USERTRust esisha esingezwe esitolo sabo sesitifiketi sezimpande.
Ngokombono, ukunqanyulwa kwesitifiketi sempande ye-AddTrust kufanele kuholele kuphela ekwephuleni ukuhambisana nezinhlelo zefa (Android 2.3, Windows XP, Mac OS X 10.11, iOS 9, njll.), njengoba isitifiketi sesibili sempande esisetshenziswe kusiginesha esiphambanayo sihlala. iziphequluli ezisebenzayo nezamanje ziyakunaka lapho zihlola uchungechunge lokwethenjwa. Ngokuzijwayeza Izinkinga ngokuqinisekiswa kwesignesha ehlukene kumaklayenti we-TLS okungezona iziphequluli, okuhlanganisa nalawo asekelwe ku-OpenSSL 1.0.x ne-GnuTLS. Uxhumo oluvikelekile alusasungulwa ngephutha elibonisa ukuthi isitifiketi siphelelwe isikhathi uma iseva isebenzisa isitifiketi se-Sectigo esixhunywe uchungechunge lokwethembeka kusitifiketi sempande ye-AddTrust.
Uma abasebenzisi beziphequluli zesimanje bengakubonanga ukuphelelwa yisikhathi kwesitifiketi sempande ye-AddTrust lapho becubungula izitifiketi ze-Sectigo ezisayinwe ngokuphambanayo, izinkinga ziqale ukuvela ezinhlelweni ezahlukahlukene zezinkampani zangaphandle kanye nezibambi zohlangothi lweseva, okuholele ekutheni izingqalasizinda eziningi ezisebenzisa imigudu yokuxhumana ebethelwe ukuxhumana phakathi kwezingxenye.
Ngokwesibonelo, kwakukhona ngokufinyelela kwezinye izinqolobane zephakheji ku-Debian no-Ubuntu (i-apt yaqala ukwenza iphutha lokuqinisekisa isitifiketi), izicelo ezivela emibhalweni esebenzisa izinsiza ze-“curl” kanye ne-“wget” zaqala ukwehluleka, amaphutha abonwa lapho kusetshenziswa i-Git, Inkundla yokusakaza ye-Roku iyasebenza, izibambi azisabizwa и , waqala ezinhlelweni zokusebenza ze-Heroku, Amaklayenti e-OpenLDAP ayaxhumeka, kutholakale izinkinga zokuthumela imeyili ku-SMTPS kanye namaseva e-SMTP ane-STARTTLS. Ngaphezu kwalokho, izinkinga zibonwa emibhalweni ehlukahlukene ye-Ruby, PHP kanye ne-Python esebenzisa imodyuli eneklayenti le-http. Inkinga yesiphequluli I-Epiphany, eyekile ukulayisha uhlu lokuvinjwa kwezikhangiso.
Izinhlelo ze-Go azithintwa yile nkinga ngoba i-Go inikeza I-TLS.
ukuthi inkinga ithinta ukukhishwa okudala kokusatshalaliswa (kufaka phakathi i-Debian 9, Ubuntu 16.04, ) esebenzisa amagatsha e-OpenSSL anenkinga, kodwa inkinga futhi lapho umphathi wephakheji ye-APT esebenza ekukhishweni kwamanje kwe-Debian 10 kanye ne-Ubuntu 18.04/20.04, njengoba i-APT isebenzisa umtapo wezincwadi we-GnuTLS. Umnyombo wenkinga ukuthi imitapo yolwazi eminingi ye-TLS/SSL ikhipha isitifiketi njengochungechunge lomugqa, kuyilapho ngokusho kwe-RFC 4158, isitifiketi singamela igrafu eyindilinga esabalalisiwe enamahange amaningi okuthembana okudingeka acatshangelwe. Mayelana naleli phutha ku-OpenSSL naku-GnuTLS . Ku-OpenSSL inkinga yalungiswa egatsheni 1.1.1, naku- izinsalela .
Njengendlela yokusebenza, kuphakanyiswa ukuthi kukhishwe isitifiketi se-“AddTrust External CA Root” esitolo sesistimu (isibonelo, susa ku-/etc/ca-certificates.conf kanye /etc/ssl/certs, bese uqalisa “update-ca -certificates -f -v"), ngemva kwalokho i-OpenSSL iqala ukuvamise ukucubungula izitifiketi ezisayinwe ngokuphambene ngokubamba kwayo iqhaza. Uma usebenzisa isiphathi sephakheji ye-APT, ungakhubaza ukuqinisekiswa kwesitifiketi kwezicelo ngazinye ngokuzifaka wena engozini (isibonelo, “apt-get update -o Acquire::https::download.jitsi.org::Verify-Peer=false”) .
Ukuze uvimbele inkinga ku и Kuhlongozwa ukuthi kwengezwe isitifiketi se-AddTrust ohlwini lwabavinjelwe:
trust dump —filter «pkcs11:id=%AD%BD%98%7A%34%B4%26%F7%FA%C4%26%54%EF%03%BD%E0%24%CB%54%1A;type=cert» \
> /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit
i-update-ca-trust extract
Kodwa le ndlela kwe-GnuTLS (isibonelo, iphutha lokuqinisekisa isitifiketi liyaqhubeka nokuvela uma usebenzisa insiza ye-wget).
Ohlangothini lweseva ungakwazi kufakwa kuhlu izitifiketi ochungechungeni lokwethenjwa oluthunyelwe iseva kuklayenti (uma isitifiketi esihlotshaniswa ne-“AddTrust External CA Root” sisuswa ohlwini, lapho-ke ukuqinisekiswa kweklayenti kuzophumelela). Ukuze uhlole futhi ukhiqize uchungechunge olusha lokuthembela, ungasebenzisa isevisi . Sectigo futhi esinye isitifiketi esiphakathi esisayinwe ngokuphambene "", ezosebenza kuze kube ngu-2028 futhi izogcina ihambisana nezinguqulo ezindala ze-OS.
Ukwengeza: Inkinga futhi ku-LibreSSL.
Source: opennet.ru