Package: security.debian.org
I intend to use a secure connection (that means at the transport level)
for downloading packages and lists from the Debian repository. I
installed apt-transport-https. There are mirrors that accept HTTPS
(though there don't seems to be a list yet, they are listed along with
the mirrors that don't). I configured one of them in my source.list
The problem hereby reported is that the repository for security updates
(security.debian.org) sometimes provides a bad HTTPS certificate and
sometimes refuses connections (TCP reset); it seems to depend on the
rotation of the IP addresses that security.debian.org resolve to. This
problem makes "apt-get update" fail when using HTTPS to access the
security upgrades repository; sometimes it hangs, sometimes it gives a
message error reporting the domain mismatch in the certificate:
-----BEGIN PASTED TEXT----
Err https://security.debian.org wheezy/updates/main Sources
SSL: certificate subject name (debian.org) does not match target host
name 'security.debian.org'
Err https://security.debian.org wheezy/updates/main amd64 Packages
SSL: certificate subject name (debian.org) does not match target host
name 'security.debian.org'
Fetched 7637 kB in 33s (231 kB/s)
W: Failed to fetch
https://security.debian.org/dists/wheezy/updates/main/source/Sources
SSL: certificate subject name (debian.org) does not match target host
name 'security.debian.org'
W: Failed to fetch
https://security.debian.org/dists/wheezy/updates/main/binary-amd64/Packages
SSL: certificate subject name (debian.org) does not match target host
name 'security.debian.org'
E: Some index files failed to download. They have been ignored, or old
ones used instead.
-----END PASTED TEXT----
I have asked for help in the [email protected] mailing list
<https://lists.debian.org/debian-user/2015/10/msg01010.html>. An user
suggested a possible workaround, but as he also noted, actually it don't
works because the TLS configuration of security.debian.org is broken
beyond the domain mismatch
<https://lists.debian.org/debian-user/2015/10/msg01027.html>,
<https://lists.debian.org/debian-user/2015/10/msg01029.html>.
Regards.
