Izolo sabelana ngezindaba lapha kubhulogi ekunqanyulweni kwesitifiketi se-IdenTrust (i-DST Root CA X3) esetshenziselwe ukusayina isitifiketi se-Let Encrypt CA kubangele izinkinga ngokuqinisekiswa kwesitifiketi se-Let Encrypt kumaphrojekthi asebenzisa izinhlobo ezindala ze-OpenSSL ne-GnuTLS.
Lezi zinkinga zithinte nomtapo wezincwadi weLibreSSL, Abathuthukisi babo abangazange bacabangele ulwazi oludlule oluhlobene nokuphahlazeka okwenzeke ngemuva kokuphelelwa yisikhathi kwesitifiketi se-AddTrust sesiphathimandla seSectigo (Comodo).
Futhi yilokho kuzinguqulo ze-OpenSSL kuze kufike futhi kufaka phakathi i-1.0.2 naku-GnuTLS ngaphambi kuka-3.6.14, kuvele iphutha ukuthi ayikuvumeli ukucubungulwa okulungile kwezitifiketi ezisayiniwe uma esinye sezitifiketi zempande esisetshenziselwa ukusayina siphelelwe yisikhathi, noma ngabe ezinye ezivumelekile zigcinwa.
Ingqikithi yephutha ukuthi izinguqulo zangaphambilini ze-OpenSSL ne-GnuTLS zihlikihle isitifiketi njengochungechunge oluqondile, kanti ngokwe-RFC 4158, isitifiketi singamela ishadi likaphayi elisatshalaliswa eliqondiswe ngamahange ahlukahlukene wethemba okufanele abhekwe.
Ngokwengxenye yayo iphrojekthi ye-OpenBSD ikhishwe ngokuphuthumayo amabala amagatsha angu-6.8 no-6.9 namuhla, elungisa izingqinamba eLibreSSL ngokuqinisekiswa kwesitifiketi esisayiniwe, esinye sezitifiketi zempande ku-trust chain siphelelwe yisikhathi. Njengesixazululo senkinga, kuyanconywa ku / etc / installurl, switch from HTTPS to HTTP (lokhu akukusongeli ukuphepha, njengoba izibuyekezo ziqinisekiswa ngokungeziwe ngesiginesha yedijithali) noma ukhethe esinye isibuko (ftp.usa.openbsd.org , ftp.hostserver.de, cdn.openbsd .org).
Futhi Isitifiketi se-DST Root CA X3 esiphelelwe yisikhathi singasuswa kusuka kufayela le- /etc/ssl/cert.pem, futhi insiza ye-syspatch esetshenziselwa ukufaka izibuyekezo zohlelo kanambambili iyekile ukusebenza ku-OpenBSD.
Izinkinga ezifanayo ze-DragonFly BSD zenzeka lapho usebenza nama-DPorts. Lapho uqala umphathi wephakeji le-pkg, kwenziwa iphutha lokuqinisekisa isitifiketi. Ukulungiswa kungeziwe emagatsheni amakhulu, i-DragonFly_RELEASE_6_0 ne-DragonFly_RELEASE_5_8 namuhla. Njengokusebenza, ungasusa isitifiketi se-DST Root CA X3.
Okunye ukwehluleka okwenzekile ngemuva kokukhanselwa kwesitifiketi se-IdenTrust kwaba okulandelayo:
- Inqubo yokuqinisekiswa kwesitifiketi ye-Let's Encrypt iphazamisiwe ezinhlelweni zokusebenza ezisekelwa kungxenyekazi ye-Electron. Le nkinga ixazululwe kuzibuyekezo 12.2.1, 13.5.1, 14.1.0, 15.1.0.
- Okunye ukusatshalaliswa kunenkinga yokufinyelela ezinqolobaneni zephakheji lapho usebenzisa i-APT package manager efakwe nezinguqulo ezindala zelabhulali ye-GnuTLS.
- I-Debian 9 ithinteke yiphakheji ye-GnuTLS engafakwanga, edala izinkinga zokufinyelela ku-deb.debian.org kubasebenzisi abangazange bafake izibuyekezo ngesikhathi (lungisa i-gnutls28-3.5.8-5 + deb9u6 yaphakanyiswa ngomhlaka 17 kuSepthemba).
- Iklayenti le-acme liphule i-OPNsense, le nkinga yabikwa ngaphambi kwesikhathi, kepha abathuthukisi bahlulekile ukukhipha i-patch ngesikhathi.
- Le nkinga ithinte iphakethe le-OpenSSL 1.0.2k ku-RHEL / CentOS 7, kepha ngesonto eledlule le-RHEL 7 ne-CentOS 7, isibuyekezo sephakeji ye-ca-isitifiketi-2021.2.50-72.el7_9.noarch senziwe, lapho iThe The Isitifiketi se-IdenTrust sisusiwe, okungukuthi, ukubonakaliswa kwenkinga kuvinjelwe ngaphambili.
- Njengoba ukuvuselelwa kukhishwe kusenesikhathi, inkinga yokuqinisekiswa kwesitifiketi se-Let Encrypt ithinte kuphela abasebenzisi begatsha elidala le-RHEL / CentOS ne-Ubuntu, abangazifaki izibuyekezo njalo.
- Inqubo yokuqinisekiswa kwesitifiketi ku-grpc yephuliwe.
- Yehlulekile ukudala ipulatifomu yekhasi le-Cloudflare.
- Izinkinga ze-Amazon Web Services (AWS).
- Abasebenzisi beDigitalOther banenkinga yokuxhuma ku-database.
- Ukuhluleka kwesikhulumi sefu seNetlify.
- Izinkinga zokuthola amasevisi we-Xero.
- Umzamo wokusungula ukuxhumana kwe-TLS ne-MailGun Web API wehlulekile.
- Iziphazamisi ezinhlotsheni ze-MacOS ne-iOS (11, 13, 14), obekungafanele ukuthi zithintwe yile nkinga.
- Ukuhluleka kwezinsizakalo zokubamba.
- Yehlulekile ukuhlola izitifiketi lapho ufinyelela i-PostMan API.
- I-Guardian Firewall iphahlazekile.
- Ukuphazanyiswa ekhasini lokusekelwa kwemonday.com.
- Ukuphahlazeka endaweni yesikhulumi seCerb.
- Ayikwazi ukuqinisekisa isikhathi esedlule ku-Google Cloud Monitoring.
- Ikhishwa ngokuqinisekiswa kwesitifiketi kuCisco Umbrella Secure Web Gateway.
- Izinkinga zokuxhuma kuma-proxy we-Bluecoat ne-Palo Alto.
- I-OVHcloud inenkinga yokuxhuma ku-OpenStack API.
- Izinkinga zokukhiqiza imibiko ku-Shopify.
- Kunezinkinga ekufinyeleleni i-Heroku API.
- Ukuphahlazeka kuMphathi weLedger Live.
- Iphutha lokuqinisekisa isitifiketi kumathuluzi wokuthuthukisa uhlelo lokusebenza lwe-Facebook.
- Izinkinga ku-Sophos SG UTM.
- Izinkinga ngokuqinisekiswa kwesitifiketi ku-cPanel.
Njengesinye isixazululo, kuphakanyiswa ukuthi kususwe isitifiketi se- «DST Root CA X3» kusuka esitolo sesistimu (/etc/ca-certificates.conf kanye / etc / ssl / certs) bese usebenzisa umyalo "update-ca-certificates -f -v").
KuCentOS nakuRHEL, ungangeza isitifiketi se- "DST Root CA X3" ohlwini lwabashokobezi.