换上新的SSL(一):沃通死了

升级新版chrome后wosign的旧SSL证书就不受支持了。

查阅后并未找到更新记录。只有安全博客10月发布的这样一个 文章

Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted. Certificates issued before this date MAY continue to be trusted, for a time, if they comply with the Certificate Transparency in Chrome policy or are issued to a limited set of domains known to be customers of WoSign and StartCom.
Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance. As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56.

而新版Chrome 57发布后,wosign彻底不被信任了。访问将会提示:NET::ERR_CERT_AUTHORITY_INVALID。
不过更新记录没有,去git里翻。找到了:

commit e719fc626a3b9a528bf226b704785bcb24d07868
author Ryan Sleevi Fri Jan 27 21:14:49 2017
committer Ryan Sleevi Fri Jan 27 21:14:49 2017
Restrict the set of WoSign/StartCom certs to the Alexa Top 1M
Restrict the set of domains for which WoSign/StartCom certificates
are trusted to the set of domains intersecting the Alexa Top 1M
whose certificates are unexpired and unrevoked.
BUG=685826

是的,现在即便是早于October 21, 2016 00:00:00 UTC的也不被信任了(除非网站是Alexa Top 1M)。
所以中国第一大安全证书签发机构沃通可能就死在这上面了。
于是我给博客换上了Let’s Encrypt。

换上Let’s Encrypt的步骤,我在明天补上。
晚安

留下你的评论呗...

电子邮件地址不会被公开。 必填项已用*标注