Hallo, * Harald Dunkel [Wed, May 26 2021, 10:10:16AM]: > Package: apt-cacher-ng > Version: 3.6.3-1 > Severity: wishlist > > Sorry to say, but configuring https for apt-cacher-ng is APITA. Would it be > possible for ACNG to silently try https first, if the client asked for http? > That would be similar to an explicit http://HTTPS///get.docker.com/ubuntu, > except for the client doesn't have to know.
Here you can play with it: https://salsa.debian.org/blade/apt-cacher-ng/-/tree/feature/debian/bts-989118_Optimistic-TLS-probing But I am not convinced, it has issues: a) additional network traffic b) most mirrors have some kind of broken or missing TLS configuration like snake-oil cets or generic host cert not matching the mirror hostname and apparently no SNI active. This can be "mitigated" by partly disabling the host validation but it makes it insecure. c) some mirrors actually offering different folder configuration on TLS port, therefore delivering 404 or maybe even wrong contents. The last problem is hard to detect and to work around in reliable fashion. So basically I'd prefer not to include this feature for now. Best regards, Eduard.
