Isowa de OpenSSL 4.0 yana nuna babban karyewa Wannan babban haɓakawa na sigar ba wai kawai alama ce ba: yana kawo canje-canje marasa jituwa, sabbin fasaloli da aka mayar da hankali kan sirri da tsaro na gaba, da kuma ritayar fasahar da suka tsufa tsawon shekaru. Ana amfani da wannan ɗakin karatu na SSL/TLS da cryptography sosai a cikin sabar yanar gizo, aikace-aikacen kasuwanci, da na'urorin sadarwa.
Ga masu gudanar da tsarin, manajojin tsaro na yanar gizo, da masu haɓakawa, wannan sigar tana wakiltar lokacin da ake buƙatar sabunta kayayyakin more rayuwaYana gabatar da ci gaba kamar Encrypted Client Hello da kuma ci gaba da tallafi don bayanan sirri, amma kuma yana cire tallafi ga tsoffin ka'idoji, tsarin injin, da kuma wasu APIs, wanda ke tilasta sake duba lambar da hanyoyin tattara bayanai kafin yin canjin.
Sabbin sabbin fasaloli na OpenSSL 4.0
An gabatar da OpenSSL 4.0 a matsayin babban sabuntawa, tare da mai da hankali sosai kan ƙarfafa sirri, sabunta tushen lambar sirri, da kuma tsaftace kayan da suka gadaƘungiyar aikin ta yi amfani da babban canjin sigar don gabatar da gyare-gyare marasa jituwa, cire tallafi ga dandamalin gefe, da kuma daidaita ɗabi'ar da ta saba da wasu abubuwan ciki.
Daga cikin canje-canjen da aka fi gani akwai haɗakar Encrypted Client Hello (ECH), faɗaɗa kundin algorithms don yanayin bayan-kwata, raguwa da kawar da ayyukan tarihi wajen sarrafa takaddun shaida da lokutan X.509, da kuma sake duba zaɓuɓɓukan tattarawa, rubutun da kuma manufofin ginawa a cikin tsarin aiki daban-daban.
Ingantaccen sirri tare da Abokin Ciniki Mai ɓoyewa (ECH)
Ɗaya daga cikin ci gaban da aka fi tattaunawa akai shine haɗin kai Abokin Ciniki mai ɓoyewa Hello ya dace da RFC 9849ECH yana ba da damar ɓoye saƙon Client Hello na TLS, ta yadda mai lura da hanyar sadarwa ba zai iya samun damar Nunin Sunan Server (SNI) ba, wato, sunan sabar da abokin ciniki ke haɗawa da ita.
Wannan canjin yana da mahimmanci musamman idan aka yi la'akari da cewa kariyar sirri da bayanan haɗi Yana da matuƙar muhimmanci a cikin tsarin dokoki da manufofin ƙungiyoyi da yawa. Amfani da ECH yana taimakawa rage ikon wasu kamfanoni na bayyana zirga-zirgar TLS ta hanyar gano takamaiman yankuna da masu amfani da kamfanoni ke shiga.
Tare da OpenSSL 4.0, masu haɓaka da ke aiwatar da ECH za su iya ɓoye bayanai masu mahimmanci daga musafar farkoWannan yana sa binciken da ba a yi shi ba ya zama da wahala kuma yana ƙara matakin sirrin haɗin gwiwa, a cikin ayyukan gwamnati da kuma a cikin yanayin kamfanoni inda aka ba da fifiko ga bin ƙa'idodi da kariyar bayanai.
Barka da zuwa SSLv3, SSLv2 Client Sannu, da tsarin injin
Sabuwar sigar ta karya wani ɓangare na tarihin yarjejeniyar, tun lokacin da yana cire tallafi ga SSLv3SSLv3, wani ma'auni da aka ɗauka a matsayin mara tsaro tsawon shekaru kuma an kashe shi ta hanyar tsoho a cikin OpenSSL tun sigar 1.1.0, yanzu za a cire shi daga aiki. Saboda haka, duk wani aikace-aikacen da har yanzu ya dogara da SSLv3 zai yi ƙaura zuwa TLS na zamani don samun damar yin aiki tare da reshen 4.0.
Haka kuma ya bace Tallafin Sannu na Abokin Ciniki na SSLv2Wannan fasalin, wanda aka kiyaye shi don dacewa ta tarihi amma ya kasance ba kamar mafi kyawun hanyoyin tsaro ba, yanzu ana cire shi. Cire shi yana taimakawa rage saman harin da kuma sauƙaƙe lambar, yana daidaita OpenSSL tare da buƙatun yanzu don ingantaccen ɓoye bayanai a cikin kayayyakin more rayuwa.
Wani canjin tsarin shine kawar da dukkan API ɗin injin da ake amfani da shi don haɗa kayan aikin ɓoye bayanai na waje da softwareFarawa da OpenSSL 4.0, zaɓin tattarawa ba tare da injin ba ya zama ɗaya tilo da ake da shi, kuma macro na OPENSSL_NO_ENGINE koyaushe yana nan. Wannan yana buƙatar sake duba aiwatarwa waɗanda suka yi amfani da injunan musamman don ayyuka kamar haɓaka sirri ko amfani da kayan HSM.
A lokaci guda kuma, ana kuma yin yanke-yanke. Hanyoyin da aka saba gada daga EVP_CIPHER, EVP_MD, EVP_PKEY, da EVP_PKEY_ASN1, tare da tsoffin hanyoyin sigar SSL/TLS da ayyukan sarrafa yanayin kuskure (kamar ERR_get_state() da bambance-bambancen cire yanayinsa), suna haɗa API mai tsafta wanda ya fi dacewa da buƙatun yanzu.
Ƙara zuwa rubutun bayanan-bayan-kwatancen da sabbin algorithms
Idan aka duba gaba, OpenSSL 4.0 tana haɓaka dabarunta zuwa shirya don barazanar da ke tasowa daga ƙirar kwantumSigar ta gabatar da sabbin dabarun tattara bayanai da kuma tattara bayanai, da nufin ƙarfafa musayar bayanai masu mahimmanci kan yiwuwar hare-hare a cikin yanayin bayan-kwata.
Daga cikin sabbin fasaloli akwai ƙungiyar musayar maɓalli ta haɗin gwiwaSM2MLKEM768, wanda ya haɗa abubuwan gargajiya tare da tsare-tsaren post-quantum, da kuma tsarin sawun yatsa na ML-DSA-MU da aikin cSHAKE bisa ga NIST SP 800-185. Waɗannan abubuwan suna faɗaɗa damar tsara ka'idoji waɗanda suka fi juriya ga ci gaban cryptanalytic na gaba.
Bugu da ƙari, aikin ya ƙara da cewa Tallafi ga musayar maɓallan FFDHE da aka yi shawarwari a kai akan TLS 1.2Wannan ya bi ƙa'idodin da aka kafa a cikin RFC 7919. Wannan yana ba da damar aiwatarwa waɗanda har yanzu ke aiki tare da TLS 1.2 su amfana daga ingantattun sigogin ƙungiyar Diffie-Hellman mai iyaka, yana haɓaka matakin tsaro a cikin yanayi inda haɓakawa nan take zuwa TLS 1.3 ba zai yiwu ba.
Canje-canje da halayen API waɗanda ke shafar masu haɗaka
Ga waɗanda ke kula da aikace-aikacen da ke haɗi zuwa OpenSSL, sigar 4.0 ta gabatar Gyara kai tsaye ga API wanda zai iya karya gine-ginen da ke akwaiƊaya daga cikin manyan canje-canjen shine nau'in ASN1_STRING ya zama ba a iya gani, wanda ke iyakance damar shiga kai tsaye zuwa tsarin ciki kuma yana tilasta amfani da ayyuka masu girma.
Ayyuka da yawa, musamman waɗanda suka shafi Tsarin takardar shaidar X.509 yanzu ya haɗa da cancantar const a cikin sa hannunsu, daidaita ma'anar rashin canzawa da tilasta gyare-gyare a cikin lambar da ba ta da tsauri. Wannan na iya haifar da gargaɗi ko kurakurai na tattarawa a cikin ayyukan da ba sa sabunta ma'anoni masu dacewa.
A fannin kula da lokaci, akwai Ayyukan da aka ayyana waɗanda suka tsufa kamar X509_cmp_time(), X509_cmp_current_time() da X509_cmp_timeframe()Amfani da aka ba da shawarar yanzu shine X509_check_certificate_times(), wanda ya haɗa da daidaita ayyukan tabbatar da takardar shaida waɗanda a da suka dogara da tsoffin ayyuka.
Wani abin da ya dace shi ne libcrypto ya dakatar da tsaftace bayanan da aka sanya a duniya ta hanyar atexit(). Madadin haka, ana gudanar da OPENSSL_cleanup() azaman mai lalata duniya ko kuma ba a ƙaddamar da shi ta hanyar tsoho ba, ya danganta da tsarin. Wannan na iya shafar aikace-aikacen da suka dogara da tsaftacewa ta atomatik lokacin ƙarewar tsari, wanda ke tilasta sarrafa zagayowar rayuwa ta albarkatu mafi bayyane.
Bugu da ƙari, BIO_f_reliable(), wani fasali ne wanda ke nuna An karya shi tun reshe na 3.0 kuma yanzu ya ɓace ba tare da maye gurbinsa kai tsaye baAyyukan da har yanzu suke amfani da shi za su sake tsara dabarun da ke da alaƙa ko kuma su ɗauki wasu abubuwan asali daga ɗakin karatu don biyan buƙatun makamancin haka.
Babban tsauri a cikin tabbatar da takardar shaida da kuma samowar mahimman bayanai
OpenSSL 4.0 yana ƙarfafa tsarin Tabbatar da takaddun shaida na X.509 sosai lokacin da aka kunna X509_V_FLAG_X509_STRICTDa zarar an kunna wannan tutar, ana yin ƙarin bincike akan tsawaita AKID (Authority Key Identifier), ƙara ƙa'idodin tabbatarwa da daidaita ɗakin karatu tare da ayyukan tsaro masu wahala.
A yayin aiwatar da tabbatar da jerin sokewa (CRL), sabuwar sigar ta ƙara da cewa Ƙarin iko don tabbatar da cewa tabbatar da takaddun shaida da aka soke ya fi cikakken bayaniWaɗannan canje-canjen suna shafar muhalli inda gudanarwar PKI ke da matuƙar muhimmanci, kamar gwamnatocin jama'a, bankuna, ko manyan kamfanoni waɗanda suka dogara da sarƙoƙin aminci masu ƙarfi.
Ana kuma gabatar da su Ƙananan iyaka da ake buƙata don amfani da PKCS5_PBKDF2_HMAC lokacin amfani da mai samar da FIPSWannan gyara yana neman guje wa rashin ƙarfi sosai a cikin abubuwan da aka samo daga kalmomin shiga, wanda a aikace yana tilasta amfani da ƙananan sigogi masu ƙarfi a cikin muhalli inda ake buƙatar bin ƙa'idodin FIPS, wanda ya zama ruwan dare a cikin mahimman fannoni.
Saitunan tattarawa, dandamali masu goyan baya, da kayan aiki
Dangane da tattarawa da tallafin dandamali, OpenSSL 4.0 tana ɗaukar matakai don mafi tsari na zamani da sauƙiAikin yana hana tallafi ga lanƙwasa elliptical da suka tsufa a cikin TLS ta hanyar tsoho, kamar yadda aka ƙayyade a cikin RFC 8422, da kuma amfani da lanƙwasa elliptical bayyanannu. Duk da haka, zaɓuɓɓukan daidaitawa sun kasance ga waɗanda ke buƙatar sake kunna su saboda dalilai na dacewa lokaci-lokaci.
Dangane da manufofin ginin, an yi shi ne Suna cire nau'ikan darwin-i386 da darwin-ppcWannan a hukumance ya cire tsoffin tsarin Apple waɗanda suka dogara da tsarin i386 da PowerPC/PPC64. A aikace, wannan bai kamata ya shafi yawancin tsarin da ake amfani da su a yanzu ba, inda waɗannan dandamalin suka tsufa na ɗan lokaci, amma yana tabbatar da cire su daga tallafin da ake samu daga manyan kamfanoni.
Dangane da kayan aiki, ana cire rubutun tarihi, kuma samar da ma'aunin hash don takaddun shaida a cikin kundin adireshi shine hanyar da aka ba da shawarar. Bugu da ƙari, don shigarwar FIPS, an gabatar da zaɓin `-defer_tests` a cikin kayan aikin `openssl fipsinstall`, yana ba da damar dage wasu gwaje-gwajen atomatik, wanda zai iya sauƙaƙe jigilar su a cikin yanayi tare da ƙuntatawa na lokacin farawa.
A kan tsarin Windows, sabuntawa yana ƙara ikon zaɓar tsakanin haɗin kai tsaye ko tsauri na lokacin aiki na Visual C++Wannan sassauci yana da amfani ga masu haɓakawa da ƙungiyoyin DevOps waɗanda ke tattara aikace-aikace don yanayin rarrabawa daban-daban, saboda suna iya daidaita nau'in lokacin aiki bisa ga buƙatun jituwa ko girman binary.
Tasiri ga ƙungiyoyi da masu haɓaka
A cikin mahallin da yawancin kayayyakin more rayuwa na Intanet da ayyuka masu mahimmanci suka dogara da OpenSSL, sigar 4.0 tana wakiltar canjin dabarun da ke buƙatar tsariƘungiyoyin jama'a, masu samar da girgije, cibiyoyin kuɗi, da kamfanonin fasaha ya kamata su yi nazari sosai kan tasirin canje-canjen API da ritayar yarjejeniya, musamman kan tsoffin tsarin ko aikace-aikacen da ba su da kyau.
Ana iya ganin haɗa ECH da ƙarfafa bayanan sirri na bayan-quantum kamar haka damar da za a ɗaga matakin kariya na asaliAmma a lokaci guda, suna buƙatar cikakken gwaji a cikin yanayin kafin samarwa. A lokuta da yawa, zai zama dole a haɗa ƙungiyoyin ci gaba, tsaro, da ayyuka don tabbatar da cewa sauyin bai karya ayyuka ko gabatar da koma-baya ba.
Ga ayyukan bude tushen da suka dogara sosai akan OpenSSL, daidaitawar za ta ƙunshi Daidaita sa hannun ayyuka, sake duba amfani da nau'ikan da ba a iya gani ba yanzu kuma a maye gurbin kayan aikin da suka yi ritaya kamar injunan lokaci ko ayyuka na X.509. Fa'idar ita ce, da zarar an sabunta su, waɗannan ayyukan za su amfana daga tushen ɓoye bayanai wanda ya fi dacewa da ƙa'idodin yanzu da ƙarancin bashin fasaha.
Gabaɗaya, OpenSSL 4.0 yana sanya kansa a matsayin sigar tsaftacewa, zamani da kuma shiri don matsakaici da dogon lokaciWannan yana buƙatar saka hannun jari a ƙaura amma a madadin haka yana ba da ingantaccen ci gaba a cikin sirri, tsaro da daidaiton cikin ɗakin karatu, manyan fannoni don ci gaba da tallafawa kayayyakin more rayuwa na dijital akan tushen sirri mai ƙarfi.
