Bug 225614

Summary: distcache.freebsd.org uses an invalid security certificate
Product: Ports & Packages Reporter: Wolfram Schneider <wosch>
Component: Package InfrastructureAssignee: Cluster Admin <clusteradm>
Status: Open ---    
Severity: Affects Only Me CC: michael.osipov, philip, portmgr
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Bug Depends on: 221722    
Bug Blocks:    

Description Wolfram Schneider freebsd_committer freebsd_triage 2018-02-01 21:43:00 UTC 
I tried to download a distfile from https://distcache.freebsd.org/

I got an SSL error

distcache.freebsd.org uses an invalid security certificate. The certificate is only valid for pkg.freebsd.org Error code: SSL_ERROR_BAD_CERT_DOMAIN
Comment 1 Wolfram Schneider freebsd_committer freebsd_triage 2018-02-03 16:29:58 UTC 
The CDN sites have the same SSL problem:

https://distcache.us-east.FreeBSD.org
https://distcache.eu.FreeBSD.org
https://distcache.us-west.FreeBSD.org
Comment 2 Antoine Brodin freebsd_committer freebsd_triage 2018-02-03 16:42:38 UTC 
In bsd.port.mk, the distcache urls use HTTP, not HTTPS.

Also, for non maintainers/committers,  SSL_NO_VERIFY_PEER=1 and SSL_NO_VERIFY_HOSTNAME=1 are used when fetching distfiles from https sites (distinfo already ensures the integrity of the distfiles).

So I don't think this is a problem.
Comment 3 Wolfram Schneider freebsd_committer freebsd_triage 2018-02-03 21:35:27 UTC 
(In reply to Antoine Brodin from comment #2)
> In bsd.port.mk, the distcache urls use HTTP, not HTTPS.
this is another bug, but lets fix the SSL errors first.

The issue is about privacy, not integrity. It is our duty to protect our users. E.g. in some countries it is illegal to use, or even install VPN clients.
Comment 4 Michael Osipov 2020-03-15 21:42:09 UTC 
This issue still persists.
Comment 5 Philip Paeps freebsd_committer freebsd_triage 2020-03-16 07:58:40 UTC 
This is not actually an issue.  As Antoine pointed out in #2, the distfiles are fetched over HTTP.

The ports system doesn't need SSL for integrity.  SSL doesn't provide any privacy for distfile downloads: the filesize alone will fingerprint files with reasonable accuracy.
Comment 6 Mathieu Arnold freebsd_committer freebsd_triage 2020-03-16 08:51:14 UTC 
Maybe if the distcache could *not* be used with https, it would end this.
Comment 7 Michael Osipov 2020-03-16 08:56:01 UTC 
(In reply to Philip Paeps from comment #5)

That's correct, but many people assume that a non-matching certificate compromises security. I am not one of those ;-)
Comment 8 Philip Paeps freebsd_committer freebsd_triage 2020-03-16 09:14:23 UTC 
We could probably also add distcache.freebsd.org as a san but it would indeed be easier simply not to offer https.

I believe the only reason https is on is because people apparently expect that http runs over port 443 wrapped in tls these days.
Comment 9 Mathieu Arnold freebsd_committer freebsd_triage 2020-03-18 21:05:40 UTC 
Well, it would be nice if the vhost for distcache did not exist in https, or actualy did not point to the same place than the http version.