Bug 226249
| Summary: | Invalid SSL certificate on distcache machines | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Services | Reporter: | Sam H <xasthurii> | ||||
| Component: | FTP/WWW Sites & Mirrors | Assignee: | FreeBSD Mirror Admin <mirror-admin> | ||||
| Status: | Closed Works As Intended | ||||||
| Severity: | Affects Only Me | CC: | admins, mat, philip, xasthurii | ||||
| Priority: | --- | ||||||
| Version: | unspecified | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
The certificate is not valid for distcache.* The more correct fix would probably be to not allow accessing these files via the pkg.* vhost. I'd reject this as portmgr@, but it's not assigned to portmgr@. Sorry for not replying to this bug earlier. Thank you for the suggestion but this is not something we want to do. There is no need for TLS on the distcache mirrors. The ports system can check the integrity of files using the distinfo files. A passive observer can infer the file being downloaded from the filesize so privacy is also a moot point. |
Created attachment 191059 [details] patch The SSL certificate on the distcache mirrors is only valid for "pkg.freebsd.org". Users are unable to securely fetch local (or missing) distfiles as a result. Using "pkg.freebsd.org" in the Mk files will not be accepted by portmgr. Please add a valid name for these domains: distcache.FreeBSD.org distcache.eu.FreeBSD.org distcache.us-east.FreeBSD.org distcache.us-west.FreeBSD.org The patch can then be appled in the ports/Mk directory.