On 14/01/16 00:50, Yann Ylavic wrote: > On Thu, Jan 14, 2016 at 12:05 AM, Tom Fredrik Blenning Klaussen > <b...@blenning.no> wrote: >> >> >> On 13/01/16 23:56, bugzi...@apache.org wrote: >>>> >>>> It just so happens that the https addresses do not have a >>>> valid security certificate which is a second bug. >>> >>> Could you elaborate? No alert when I access >>> https://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1 >>> from here. >> >> So I start out at https://httpd.apache.org/download.cgi >> >> The two relevant links from this page are: >> http://www.eu.apache.org/dist//httpd/httpd-2.4.18.tar.bz2 >> http://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1 >> >> Obviously both are http addresses, so that's the first error >> when linked from https. > > My firefox does not warn in this case (this is a different domain) > but nevermind. Wherever the tarball comes from, it has to be > checked against the digests from https://httpd.apache.org/dist/ for > any trust to be possible (this is less/not a requirement for PGP > though, the trust is more on the signer). Even if you change the > mirror on the /dowwload.cgi page, the links to the digests remain > the same. > >> >> Replacing http with https for both links works, but for the >> former: >> https://www.eu.apache.org/dist//httpd/httpd-2.4.18.tar.bz2 >> >> there is a certificate error. Firefox: (Error code: >> ssl_error_bad_cert_domain) > > That could be addressed by the infra team, but I guess it does not > matter too much, it's a backup host (note that the certificate is > the same as for httpd.apache.org, i.e. *.apache.org).
Did you file any bug about this? How do I address the infra team? --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
