Matsalolin da aka samu ta hanyar kammala takardar shaidar DST Root CA X3 tuni sun fara

Darkcrizt

4 minti

Jiya mun raba labarai anan shafin akan ƙarewar IdenTrust takardar shaidar (DST Root CA X3) da aka yi amfani da shi don sanya hannu kan takardar shaidar En Encrypt CA ya haifar da matsaloli tare da Injin Encrypt takardar shaidar a cikin ayyukan ta amfani da tsoffin sigogin OpenSSL da GnuTLS.

Batutuwan sun kuma shafi ɗakin karatu na LibreSSL, wanda masu haɓakawa ba su yi la’akari da ƙwarewar da ta gabata da ta shafi hadarurruka da suka faru bayan takardar shaidar tushen AddTrust na ikon takardar shaidar Sectigo (Comodo) ta ƙare.

Kuma wannan shine a cikin nau'ikan OpenSSL har zuwa ciki har da 1.0.2 kuma a cikin GnuTLS kafin 3.6.14, kuskure ya faru cewa ba ta ba da izinin sarrafa madaidaitan takaddun takaddun hannu idan ɗaya daga cikin takaddun takaddun da aka yi amfani da su don sa hannu ya ƙare, koda kuwa an kiyaye wasu ingantattun.

 Jigon kuskuren shine cewa sigogin baya na OpenSSL da GnuTLS sun ƙaddamar da takardar shaidar azaman sarkar layi, alhali bisa ga RFC 4158, takardar shaida na iya wakiltar ginshiƙin kek ɗin da aka rarraba tare da amintattun amintattu waɗanda dole ne a yi la’akari da su.

Don sashi aikin OpenBSD cikin gaggawa ya fitar da faci ga rassan 6.8 da 6.9 a yau, wanda ke gyara batutuwan a cikin LibreSSL tare da tabbatar da takardar shaidar sa hannu, ɗaya daga cikin tushen takaddun shaida a cikin sarkar amana ya ƙare. A matsayin mafita ga matsalar, ana ba da shawarar a / etc / installurl, sauyawa daga HTTPS zuwa HTTP (wannan baya barazana ga tsaro, kamar yadda aka kuma tabbatar da sabuntawa ta sa hannu na dijital) ko zaɓi madubi na daban (ftp.usa.openbsd.org , ftp.hostserver.de, cdn.openbsd .org).

Har ila yau za a iya cire takaddar DST Root CA X3 ta ƙare daga fayil /etc/ssl/cert.pem, kuma kayan aikin syspatch da aka yi amfani da su don shigar da sabunta tsarin binary ya daina aiki akan OpenBSD.

Makamantan matsalolin DragonFly BSD suna faruwa yayin aiki tare da DPorts. Lokacin fara manajan kunshin pkg, ana haifar da kuskuren tabbatar da takardar shaidar. An ƙara gyara zuwa manyan rassan, DragonFly_RELEASE_6_0 da DragonFly_RELEASE_5_8 a yau. A matsayin mafita, zaku iya cire takardar shaidar DST Root CA X3.

Wasu daga cikin gazawar da suka faru bayan an soke takardar shaidar IdenTrust sune kamar haka:

  • An katse tsarin tabbatar da takardar shaidar Bari Mu Encrypt a cikin aikace -aikace dangane da dandalin Electron. An gyara wannan batun a cikin sabuntawa 12.2.1, 13.5.1, 14.1.0, 15.1.0.
  • Wasu rabe -raben suna da wahalar isa ga wuraren ajiya na kunshin lokacin amfani da manajan kunshin APT wanda aka haɗa tare da tsoffin sigogin ɗakin karatu na GnuTLS.
  • Kunshin GnuTLS wanda bai dace ba ya shafi Debian 9, yana haifar da matsalolin samun dama deb.debian.org ga masu amfani waɗanda ba su shigar da sabuntawa cikin lokaci ba (an ba da shawarar gnutls28-3.5.8-5 + deb9u6 a ranar 17 ga Satumba).
  • Abokin ciniki acme ya karya akan OPNsense, an ba da rahoton batun kafin lokaci, amma masu haɓakawa sun kasa sakin facin cikin lokaci.
  • Batun ya shafi kunshin OpenSSL 1.0.2k akan RHEL / CentOS 7, amma mako guda da suka gabata don RHEL 7 da CentOS 7, sabuntawa ga ca-certificate-2021.2.50-72.el7_9.noarch kunshin da aka samar, daga wanda The An goge takardar shaidar IdenTrust, wato an toshe bayyanar matsalar tun kafin.
  • Tun lokacin da aka fitar da sabuntawar da wuri, matsalar tare da tabbatar da takardar shaidar Bari mu Encrypt ta shafi kawai masu amfani da tsoffin RHEL / CentOS da rassan Ubuntu, waɗanda basa shigar da sabuntawa akai -akai.
  • Tsarin tabbatar da takardar shaidar a grpc ya karye.
  • Ba a yi nasarar ƙirƙirar dandamalin shafi na Cloudflare ba.
  • Matsalolin Gidan Yanar Gizon Amazon (AWS).
  • Masu amfani da DigitalOcean suna fuskantar matsala don haɗawa da rumbun bayanai.
  • Rashin nasarar dandalin girgije na Netlify.
  • Matsalolin samun sabis na Xero.
  • Ƙoƙarin kafa haɗin TLS tare da MailGun Yanar gizo API ya gaza.
  • Bug a cikin sigogin macOS da iOS (11, 13, 14), wanda a ka'ida bai kamata matsalar ta shafa ba.
  • An kasa gazawar sabis na Catchpoint.
  • Ba a yi nasarar duba takaddun shaida ba yayin isa ga API na PostMan.
  • The Guardian Firewall ya fadi.
  • Rushewa akan shafin tallafi na monday.com.
  • Crash akan dandalin Cerb.
  • An kasa tabbatar da lokacin aiki a cikin Kulawar Google Cloud.
  • Batun tare da tabbatar da takaddun shaida akan Cisco Umbrella Secure Web Gateway.
  • Matsalolin haɗi zuwa wakilan Bluecoat da Palo Alto.
  • OVHcloud yana samun matsala don haɗawa da OpenStack API.
  • Matsalolin samar da rahotanni a cikin Shopify.
  • Akwai matsaloli na isa ga Heroku API.
  • Crash a cikin Ledger Live Manager.
  • Kuskuren tabbatar da takaddun shaida a cikin kayan aikin haɓaka aikace -aikacen Facebook.
  • Matsaloli a Sophos SG UTM.
  • Matsaloli tare da tabbatar da takaddun shaida a cPanel.

A matsayin madadin mafita, ana ba da shawarar share takaddar "DST Root CA X3" daga kantin tsarin (/etc/ca-certificates.conf da / etc / ssl / certs) sannan gudanar da umarni "update -ca -ificates -f -v").

A kan CentOS da RHEL, zaku iya ƙara takaddar "DST Root CA X3" zuwa jerin baƙi.


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Alhakin bayanai: AB Internet Networks 2008 SL
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.