Bug 225614 - distcache.freebsd.org uses an invalid security certificate
Summary: distcache.freebsd.org uses an invalid security certificate
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Package Infrastructure (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: clusteradm
URL:
Keywords:
Depends on: 221722
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-01 21:43 UTC by Wolfram Schneider
Modified: 2020-03-18 21:05 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfram Schneider freebsd_committer 2018-02-01 21:43:00 UTC
I tried to download a distfile from https://distcache.freebsd.org/

I got an SSL error

distcache.freebsd.org uses an invalid security certificate. The certificate is only valid for pkg.freebsd.org Error code: SSL_ERROR_BAD_CERT_DOMAIN
Comment 1 Wolfram Schneider freebsd_committer 2018-02-03 16:29:58 UTC
The CDN sites have the same SSL problem:

https://distcache.us-east.FreeBSD.org
https://distcache.eu.FreeBSD.org
https://distcache.us-west.FreeBSD.org
Comment 2 Antoine Brodin freebsd_committer 2018-02-03 16:42:38 UTC
In bsd.port.mk, the distcache urls use HTTP, not HTTPS.

Also, for non maintainers/committers,  SSL_NO_VERIFY_PEER=1 and SSL_NO_VERIFY_HOSTNAME=1 are used when fetching distfiles from https sites (distinfo already ensures the integrity of the distfiles).

So I don't think this is a problem.
Comment 3 Wolfram Schneider freebsd_committer 2018-02-03 21:35:27 UTC
(In reply to Antoine Brodin from comment #2)
> In bsd.port.mk, the distcache urls use HTTP, not HTTPS.
this is another bug, but lets fix the SSL errors first.

The issue is about privacy, not integrity. It is our duty to protect our users. E.g. in some countries it is illegal to use, or even install VPN clients.
Comment 4 Michael Osipov 2020-03-15 21:42:09 UTC
This issue still persists.
Comment 5 Philip Paeps freebsd_committer 2020-03-16 07:58:40 UTC
This is not actually an issue.  As Antoine pointed out in #2, the distfiles are fetched over HTTP.

The ports system doesn't need SSL for integrity.  SSL doesn't provide any privacy for distfile downloads: the filesize alone will fingerprint files with reasonable accuracy.
Comment 6 Mathieu Arnold freebsd_committer 2020-03-16 08:51:14 UTC
Maybe if the distcache could *not* be used with https, it would end this.
Comment 7 Michael Osipov 2020-03-16 08:56:01 UTC
(In reply to Philip Paeps from comment #5)

That's correct, but many people assume that a non-matching certificate compromises security. I am not one of those ;-)
Comment 8 Philip Paeps freebsd_committer 2020-03-16 09:14:23 UTC
We could probably also add distcache.freebsd.org as a san but it would indeed be easier simply not to offer https.

I believe the only reason https is on is because people apparently expect that http runs over port 443 wrapped in tls these days.
Comment 9 Mathieu Arnold freebsd_committer 2020-03-18 21:05:40 UTC
Well, it would be nice if the vhost for distcache did not exist in https, or actualy did not point to the same place than the http version.