【微信小程序】iOS 11不再信赖WoSign证书，请开发者及时更改--移动互联【未来之窗旗下】

由于即将发布的iOS 11不再信赖WoSign颁发的证书。在iOS11系统中，会导致使用WoSign证书的https页面在微信（包括系统Safari浏览器）内无法正常访问。请开发者及时更改证书。

Lists of available trusted root certificates in iOS

Blocking Trust for WoSign CA Free SSL Certificate G2

Certificate Authority WoSign experienced multiple control failures in their certificate issuance processes for the WoSign CA Free SSL Certificate G2 intermediate CA. Although no WoSign root is in the list of Apple trusted roots, this intermediate CA used cross-signed certificate relationships with StartCom and Comodo to establish trust on Apple products.

In light of these findings, we took action to protect users in a security update. Apple products no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA.

To avoid disruption to existing WoSign certificate holders and to allow their transition to trusted roots, Apple products trust individual existing certificates that were issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19. They will continue to be trusted until they expire, are revoked, or are untrusted at Apple’s discretion.

As the investigation progresses, we will take further action on WoSign/StartCom trust anchors in Apple products as needed to protect users.

Further steps for WoSign

After further investigation, we have concluded that in addition to multiple control failures in the operation of the WoSign certificate authority (CA), WoSign did not disclose the acquisition of StartCom.

We are taking further actions to protect users in an upcoming security update. Apple products will block certificates from WoSign and StartCom root CAs if the "Not Before" date is on or after 1 Dec 2016 00:00:00 GMT/UTC.

About trust and certificates

Each iOS Trust Store listed below contains three categories of certificates:

Trusted certificates establish a chain of trust that verifies other certificates signed by the trusted roots—for example, to establish a secure connection to a web server. When IT administrators create Configuration Profiles for iOS, these trusted root certificates don't need to be included.
Always Ask certificates are untrusted but not blocked. When one of these certificates is used, you'll be prompted to choose whether or not to trust it.
Blocked certificates are believed to be compromised and will never be trusted.

证书颁发机构WoSign经历了多个控制失败WoSign CA的证书发行过程自由SSL证书G2中间CA。尽管没有WoSign根是在苹果公司的列表中信任的根,这中间CA与StartCom cross-signed证书关系和舒适地使用苹果产品上建立信任。

根据这些发现,我们采取行动来保护用户安全更新。苹果产品不再信任WoSign CA免费SSL证书G2中间CA。

为了避免破坏现有WoSign证书持有人,并允许他们过渡到受信任的根,苹果产品信任个人现有的从这中间CA颁发的证书,和公共证书透明度日志服务器发布的2016-09-19。他们将继续被信任,直到到期,撤销,或者在苹果的自由裁量权不可信。

随着调查的进行,我们将采取进一步行动WoSign / StartCom信任锚在苹果产品用户需要保护。

经过进一步调查,我们得出的结论是,除了多个控制失败的操作WoSign证书颁发机构(CA),WoSign没有透露收购StartCom。

我们正在采取进一步的行动来保护用户在以后的安全更新。苹果产品会阻止证书WoSign StartCom根ca如果“之前”日期是2016年12月1日或之后就是格林尼治时间/ UTC。

信任证书建立信任链验证其他证书签署的信任根为例,建立一个安全连接到web服务器。当它为iOS管理员创建配置概要文件,这些受信任的根证书不需要包括在内。

总是问证书不可信但不阻止。当使用这些证书之一,你会被提示选择是否相信它。