On Wed, 2016-08-10 at 21:13 +0100, Howard Chu wrote: > [email protected] wrote: > > > > Full_Name: Demi Obenour > > Version: N/A > > OS: N/A > > URL: ftp://ftp.openldap.org/incoming/ > > Submission from: (NULL) (2601:840:8100:6720:2ae3:47ff:fe02:d99e) > > > > > > OpenLDAP.org has an expired self-signed TLS certificate, > > This is intentional. > > > > > which makes it > > impossible to securely access the Git repositories over HTTPS. > > The repos are only intended to be used via git: and http: anyway. > >    This needs to be > > > > fixed to avoid man-in-the-middle attacks, which would allow > > arbitrary code > > execution on the developer's machine. > > When I discussed this with Kurt, we decided to leave things as-is. > Replacing > an expired self-signed cert with a non-expired self-signed cert > wouldn't > change anything, you still need to set an explicit exception in your > client to > trust the cert. > Why are the repos only intended to be used via git: and http: ?  Is there some reason?  This makes them unusable for anyone who cares about security.
In the past http:// and https:// used an old dumb protocol that was slow, but that has long since been fixed in Git. Also, why the self-signed certificate at all? Â Let's Encrypt is providing free certificates.
