Summary: | distcache.freebsd.org uses an invalid security certificate | ||
---|---|---|---|
Product: | Ports & Packages | Reporter: | Wolfram Schneider <wosch> |
Component: | Package Infrastructure | Assignee: | Cluster Admin <clusteradm> |
Status: | Open --- | ||
Severity: | Affects Only Me | CC: | michael.osipov, philip, portmgr |
Priority: | --- | ||
Version: | Latest | ||
Hardware: | Any | ||
OS: | Any | ||
Bug Depends on: | 221722 | ||
Bug Blocks: |
Description
Wolfram Schneider
2018-02-01 21:43:00 UTC
The CDN sites have the same SSL problem: https://distcache.us-east.FreeBSD.org https://distcache.eu.FreeBSD.org https://distcache.us-west.FreeBSD.org In bsd.port.mk, the distcache urls use HTTP, not HTTPS. Also, for non maintainers/committers, SSL_NO_VERIFY_PEER=1 and SSL_NO_VERIFY_HOSTNAME=1 are used when fetching distfiles from https sites (distinfo already ensures the integrity of the distfiles). So I don't think this is a problem. (In reply to Antoine Brodin from comment #2) > In bsd.port.mk, the distcache urls use HTTP, not HTTPS. this is another bug, but lets fix the SSL errors first. The issue is about privacy, not integrity. It is our duty to protect our users. E.g. in some countries it is illegal to use, or even install VPN clients. This issue still persists. This is not actually an issue. As Antoine pointed out in #2, the distfiles are fetched over HTTP. The ports system doesn't need SSL for integrity. SSL doesn't provide any privacy for distfile downloads: the filesize alone will fingerprint files with reasonable accuracy. Maybe if the distcache could *not* be used with https, it would end this. (In reply to Philip Paeps from comment #5) That's correct, but many people assume that a non-matching certificate compromises security. I am not one of those ;-) We could probably also add distcache.freebsd.org as a san but it would indeed be easier simply not to offer https. I believe the only reason https is on is because people apparently expect that http runs over port 443 wrapped in tls these days. Well, it would be nice if the vhost for distcache did not exist in https, or actualy did not point to the same place than the http version. |