On 14/01/16 00:50, Yann Ylavic wrote: > On Thu, Jan 14, 2016 at 12:05 AM, Tom Fredrik Blenning Klaussen > <b...@blenning.no> wrote: >> >> >> On 13/01/16 23:56, bugzi...@apache.org wrote: >>> https://bz.apache.org/bugzilla/show_bug.cgi?id=55808 >>> >>> --- Comment #9 from Yann Ylavic <ylavic....@gmail.com> --- >>>> (In reply to Tom Fredrik Blenning from comment #7) Both the >>>> SHA-1 checksums and the download are linked to http >>>> addresses, but the equivalent https addresses are available. >>> >>> No digest/signature is "linked" to any address, to the tarball >>> only. >> >> http://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1 > > Right, I misinterpreted what you mean by "linked". > >> >>>> >>>> It just so happens that the https addresses do not have a >>>> valid security certificate which is a second bug. >>> >>> Could you elaborate? No alert when I access >>> https://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1 >>> from here. >> >> So I start out at https://httpd.apache.org/download.cgi >> >> The two relevant links from this page are: >> http://www.eu.apache.org/dist//httpd/httpd-2.4.18.tar.bz2 >> http://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1 >> >> Obviously both are http addresses, so that's the first error >> when linked from https. > > My firefox does not warn in this case (this is a different domain) > but nevermind.
I'm using firefox 43.0.4 > Wherever the tarball comes from, it has to be checked against the > digests from https://httpd.apache.org/dist/ for any trust to be > possible (this is less/not a requirement for PGP though, the trust > is more on the signer). Even if you change the mirror on the > /dowwload.cgi page, the links to the digests remain the same. The link: https://httpd.apache.org/dist/ does not exist anywhere on https://httpd.apache.org/download.cgi nor does http://httpd.apache.org/dist/ I've searched the source. The problem is that every single link on this https page is to a http page. If this is a shared source, for the http and https versions, which I suspect it it, this could be fixed by making the href for instance to //httpd.apache.org/dist/ >> >> Replacing http with https for both links works, but for the >> former: >> https://www.eu.apache.org/dist//httpd/httpd-2.4.18.tar.bz2 >> >> there is a certificate error. Firefox: (Error code: >> ssl_error_bad_cert_domain) > > That could be addressed by the infra team, but I guess it does not > matter too much, it's a backup host (note that the certificate is > the same as for httpd.apache.org, i.e. *.apache.org). I think that's the problem, as I understand it, the certificate would have to be *.*.apache.org, in order to cover www.eu.apache.org, but I'm no expert in the finer details of certificate management. Please see the link https://www.sslshopper.com/ssl-checker.html#hostname=www.eu.apache.org to verify the problem. --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
