|Summary:||distcache.freebsd.org uses an invalid security certificate|
|Product:||Ports & Packages||Reporter:||Wolfram Schneider <wosch>|
|Component:||Package Infrastructure||Assignee:||Cluster Admin <clusteradm>|
|Severity:||Affects Only Me||CC:||michael.osipov, philip, portmgr|
|Bug Depends on:||221722|
Description Wolfram Schneider 2018-02-01 21:43:00 UTC
I tried to download a distfile from https://distcache.freebsd.org/ I got an SSL error distcache.freebsd.org uses an invalid security certificate. The certificate is only valid for pkg.freebsd.org Error code: SSL_ERROR_BAD_CERT_DOMAIN
Comment 1 Wolfram Schneider 2018-02-03 16:29:58 UTC
The CDN sites have the same SSL problem: https://distcache.us-east.FreeBSD.org https://distcache.eu.FreeBSD.org https://distcache.us-west.FreeBSD.org
Comment 2 Antoine Brodin 2018-02-03 16:42:38 UTC
In bsd.port.mk, the distcache urls use HTTP, not HTTPS. Also, for non maintainers/committers, SSL_NO_VERIFY_PEER=1 and SSL_NO_VERIFY_HOSTNAME=1 are used when fetching distfiles from https sites (distinfo already ensures the integrity of the distfiles). So I don't think this is a problem.
Comment 3 Wolfram Schneider 2018-02-03 21:35:27 UTC
(In reply to Antoine Brodin from comment #2) > In bsd.port.mk, the distcache urls use HTTP, not HTTPS. this is another bug, but lets fix the SSL errors first. The issue is about privacy, not integrity. It is our duty to protect our users. E.g. in some countries it is illegal to use, or even install VPN clients.
Comment 4 Michael Osipov 2020-03-15 21:42:09 UTC
This issue still persists.
Comment 5 Philip Paeps 2020-03-16 07:58:40 UTC
This is not actually an issue. As Antoine pointed out in #2, the distfiles are fetched over HTTP. The ports system doesn't need SSL for integrity. SSL doesn't provide any privacy for distfile downloads: the filesize alone will fingerprint files with reasonable accuracy.
Comment 6 Mathieu Arnold 2020-03-16 08:51:14 UTC
Maybe if the distcache could *not* be used with https, it would end this.
Comment 7 Michael Osipov 2020-03-16 08:56:01 UTC
(In reply to Philip Paeps from comment #5) That's correct, but many people assume that a non-matching certificate compromises security. I am not one of those ;-)
Comment 8 Philip Paeps 2020-03-16 09:14:23 UTC
We could probably also add distcache.freebsd.org as a san but it would indeed be easier simply not to offer https. I believe the only reason https is on is because people apparently expect that http runs over port 443 wrapped in tls these days.
Comment 9 Mathieu Arnold 2020-03-18 21:05:40 UTC
Well, it would be nice if the vhost for distcache did not exist in https, or actualy did not point to the same place than the http version.