So, how is this option named in firefox and how do you set it? ……… exactly. You don't have it as an option as servername != hostname is something you only need for experiments which is the main purpose of s_client. Firefox doesn't need that option as it is using SNI (in reality it uses a library which does, but details). apt doesn't need the option as it is using libcurl-gnutls which is using SNI (see the apt- helper command above as proof). That this isn't working in your case on your system is a bug "somewhere", possibly libcurl-gnutls or the things it uses like libgnutls, but not a reason to request a servername option in apt which given that you want to set it with servername == hostname would be a NOP anyhow…
P.S.: Fire up wireshark and realize that HTTPS itself fails your blank "everything should be encrypted" statement. The irony is that SNI is actually one of those unencrypted but highly informational pieces. The rest is a bit of traffic analyze away as you have perfect knowledge of the entirely static data sent over the encrypted wire, so from the transfer size alone you can already make reasonable guesses about what you do and with a bit more work you can be sure. Better than nothing of course and one of the reasons I subsumed under "you might want" but its still mostly a feeling of security/privacy you get here as apt just isn't your typical dynamically created website with cookies and passwords and stuff resulting in unique data streams where HTTPS makes a lot more sense. IF you and repository owners were really into privacy, you would be using TOR and repositories on onion services (for the record, apt supports it via apt-transport-tor and some repositories are available as onion service). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1551464 Title: apt-get sources should support TLS SNI (server name) Status in apt package in Ubuntu: Invalid Bug description: There needs to be an option in apt source.list entries to specify the server name to be used by TLS for the Server Name Indication (SNI). The openSSL equivalent is '-servername'. Currently, when accessing sources over https when multiple names are used on the same IP address, there is no way to specify which server name should be used and so the default name is always used. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apt 1.0.1ubuntu2.11 ProcVersionSignature: Ubuntu 4.2.0-30.35~14.04.1-generic 4.2.8-ckt3 Uname: Linux 4.2.0-30-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.19 Architecture: amd64 Date: Mon Feb 29 17:25:22 2016 InstallationDate: Installed on 2016-02-26 (3 days ago) InstallationMedia: Xubuntu 14.04.4 LTS "Trusty Tahr" - Release amd64 (20160217.1) ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: apt UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1551464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
