Izinkinga ezidalwe ukuqedwa kwesitifiketi se-DST Root CA X3 seziqalile

Darkcrizt

Imizuzu ye-4

Izolo sabelana ngezindaba lapha kubhulogi ekunqanyulweni kwesitifiketi se-IdenTrust (i-DST Root CA X3) esetshenziselwe ukusayina isitifiketi se-Let Encrypt CA kubangele izinkinga ngokuqinisekiswa kwesitifiketi se-Let Encrypt kumaphrojekthi asebenzisa izinhlobo ezindala ze-OpenSSL ne-GnuTLS.

Lezi zinkinga zithinte nomtapo wezincwadi weLibreSSL, Abathuthukisi babo abangazange bacabangele ulwazi oludlule oluhlobene nokuphahlazeka okwenzeke ngemuva kokuphelelwa yisikhathi kwesitifiketi se-AddTrust sesiphathimandla seSectigo (Comodo).

Futhi yilokho kuzinguqulo ze-OpenSSL kuze kufike futhi kufaka phakathi i-1.0.2 naku-GnuTLS ngaphambi kuka-3.6.14, kuvele iphutha ukuthi ayikuvumeli ukucubungulwa okulungile kwezitifiketi ezisayiniwe uma esinye sezitifiketi zempande esisetshenziselwa ukusayina siphelelwe yisikhathi, noma ngabe ezinye ezivumelekile zigcinwa.

 Ingqikithi yephutha ukuthi izinguqulo zangaphambilini ze-OpenSSL ne-GnuTLS zihlikihle isitifiketi njengochungechunge oluqondile, kanti ngokwe-RFC 4158, isitifiketi singamela ishadi likaphayi elisatshalaliswa eliqondiswe ngamahange ahlukahlukene wethemba okufanele abhekwe.

Ngokwengxenye yayo iphrojekthi ye-OpenBSD ikhishwe ngokuphuthumayo amabala amagatsha angu-6.8 no-6.9 namuhla, elungisa izingqinamba eLibreSSL ngokuqinisekiswa kwesitifiketi esisayiniwe, esinye sezitifiketi zempande ku-trust chain siphelelwe yisikhathi. Njengesixazululo senkinga, kuyanconywa ku / etc / installurl, switch from HTTPS to HTTP (lokhu akukusongeli ukuphepha, njengoba izibuyekezo ziqinisekiswa ngokungeziwe ngesiginesha yedijithali) noma ukhethe esinye isibuko (ftp.usa.openbsd.org , ftp.hostserver.de, cdn.openbsd .org).

Futhi Isitifiketi se-DST Root CA X3 esiphelelwe yisikhathi singasuswa kusuka kufayela le- /etc/ssl/cert.pem, futhi insiza ye-syspatch esetshenziselwa ukufaka izibuyekezo zohlelo kanambambili iyekile ukusebenza ku-OpenBSD.

Izinkinga ezifanayo ze-DragonFly BSD zenzeka lapho usebenza nama-DPorts. Lapho uqala umphathi wephakeji le-pkg, kwenziwa iphutha lokuqinisekisa isitifiketi. Ukulungiswa kungeziwe emagatsheni amakhulu, i-DragonFly_RELEASE_6_0 ne-DragonFly_RELEASE_5_8 namuhla. Njengokusebenza, ungasusa isitifiketi se-DST Root CA X3.

Okunye ukwehluleka okwenzekile ngemuva kokukhanselwa kwesitifiketi se-IdenTrust kwaba okulandelayo:

  • Inqubo yokuqinisekiswa kwesitifiketi ye-Let's Encrypt iphazamisiwe ezinhlelweni zokusebenza ezisekelwa kungxenyekazi ye-Electron. Le nkinga ixazululwe kuzibuyekezo 12.2.1, 13.5.1, 14.1.0, 15.1.0.
  • Okunye ukusatshalaliswa kunenkinga yokufinyelela ezinqolobaneni zephakheji lapho usebenzisa i-APT package manager efakwe nezinguqulo ezindala zelabhulali ye-GnuTLS.
  • I-Debian 9 ithinteke yiphakheji ye-GnuTLS engafakwanga, edala izinkinga zokufinyelela ku-deb.debian.org kubasebenzisi abangazange bafake izibuyekezo ngesikhathi (lungisa i-gnutls28-3.5.8-5 + deb9u6 yaphakanyiswa ngomhlaka 17 kuSepthemba).
  • Iklayenti le-acme liphule i-OPNsense, le nkinga yabikwa ngaphambi kwesikhathi, kepha abathuthukisi bahlulekile ukukhipha i-patch ngesikhathi.
  • Le nkinga ithinte iphakethe le-OpenSSL 1.0.2k ku-RHEL / CentOS 7, kepha ngesonto eledlule le-RHEL 7 ne-CentOS 7, isibuyekezo sephakeji ye-ca-isitifiketi-2021.2.50-72.el7_9.noarch senziwe, lapho iThe The Isitifiketi se-IdenTrust sisusiwe, okungukuthi, ukubonakaliswa kwenkinga kuvinjelwe ngaphambili.
  • Njengoba ukuvuselelwa kukhishwe kusenesikhathi, inkinga yokuqinisekiswa kwesitifiketi se-Let Encrypt ithinte kuphela abasebenzisi begatsha elidala le-RHEL / CentOS ne-Ubuntu, abangazifaki izibuyekezo njalo.
  • Inqubo yokuqinisekiswa kwesitifiketi ku-grpc yephuliwe.
  • Yehlulekile ukudala ipulatifomu yekhasi le-Cloudflare.
  • Izinkinga ze-Amazon Web Services (AWS).
  • Abasebenzisi beDigitalOther banenkinga yokuxhuma ku-database.
  • Ukuhluleka kwesikhulumi sefu seNetlify.
  • Izinkinga zokuthola amasevisi we-Xero.
  • Umzamo wokusungula ukuxhumana kwe-TLS ne-MailGun Web API wehlulekile.
  • Iziphazamisi ezinhlotsheni ze-MacOS ne-iOS (11, 13, 14), obekungafanele ukuthi zithintwe yile nkinga.
  • Ukuhluleka kwezinsizakalo zokubamba.
  • Yehlulekile ukuhlola izitifiketi lapho ufinyelela i-PostMan API.
  • I-Guardian Firewall iphahlazekile.
  • Ukuphazanyiswa ekhasini lokusekelwa kwemonday.com.
  • Ukuphahlazeka endaweni yesikhulumi seCerb.
  • Ayikwazi ukuqinisekisa isikhathi esedlule ku-Google Cloud Monitoring.
  • Ikhishwa ngokuqinisekiswa kwesitifiketi kuCisco Umbrella Secure Web Gateway.
  • Izinkinga zokuxhuma kuma-proxy we-Bluecoat ne-Palo Alto.
  • I-OVHcloud inenkinga yokuxhuma ku-OpenStack API.
  • Izinkinga zokukhiqiza imibiko ku-Shopify.
  • Kunezinkinga ekufinyeleleni i-Heroku API.
  • Ukuphahlazeka kuMphathi weLedger Live.
  • Iphutha lokuqinisekisa isitifiketi kumathuluzi wokuthuthukisa uhlelo lokusebenza lwe-Facebook.
  • Izinkinga ku-Sophos SG UTM.
  • Izinkinga ngokuqinisekiswa kwesitifiketi ku-cPanel.

Njengesinye isixazululo, kuphakanyiswa ukuthi kususwe isitifiketi se- «DST Root CA X3» kusuka esitolo sesistimu (/etc/ca-certificates.conf kanye / etc / ssl / certs) bese usebenzisa umyalo "update-ca-certificates -f -v").

KuCentOS nakuRHEL, ungangeza isitifiketi se- "DST Root CA X3" ohlwini lwabashokobezi.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Unomthwalo wemfanelo ngedatha: AB Internet Networks 2008 SL
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.