Hello,
> Of the HTTP-only mirrors, I went to test if of them had working HTTPS > that wasn't documented in distfiles.xml, and if not, what responses > there were I am a maintainer of the Gentoo mirror at ftp.snt.utwente.nl <ftp://ftp.snt.utwente.nl> . In the distfiles.xml [1] we are listed as HTTP only, but I am happy to tell you that HTTPS works as well and we are fully supporting it. It this reply enough to get this fixed in the distfiles.xml, or do I have to mention/fix it somewhere else? Greetings, Erwin Bronkhorst SNT FTPCom [1] https://api.gentoo.org/mirrors/distfiles.xml Van: Robin H. Johnson <robb...@gentoo.org> Verzonden: zaterdag 13 april 2019 08:28 Aan: gentoo-mirrors@lists.gentoo.org Onderwerp: [gentoo-mirrors] HTTPS deployments for mirrors: Potential Chrome changes; stats on the existing mirrors Hi! Upstream Chrome is discussing a potential change that we try to block users following a HTTPS->HTTP for high-risk files, including tarballs. https://lists.w3.org/Archives/Public/public-webappsec/2019Apr/0004.html Further below is some quick analysis I did on the state of HTTP for the mirrors that are presently listed only as HTTP. In the era of LetsEncrypt, how many mirror administrators have a little time to add HTTPS to their mirrors, along with a cronjob to auto-refresh the certificates? The state of HTTP/HTTPS on Gentoo mirrors: 59 mirrors total ===== 1 HTTPS-only 27 HTTP+HTTPS 31 HTTP-only Of the HTTP-only mirrors, only 1 is on a non-standard port. Of the HTTP-only mirrors, I went to test if of them had working HTTPS that wasn't documented in distfiles.xml, and if not, what responses there were (I think I got an off-by-one try to summarize the errors). 2 200 OK 24 No connection: Connection refused, Connection timed out, No route to host 3 Horrible SSL certs 2 SSL_ERROR_BAD_CERT_DOMAIN/The name in the certificate does not match the expected, but everything else was otherwise good. 1 HTTP on port 443 (SSL_ERROR_RX_RECORD_TOO_LONG) ==== 32 errors Horrible SSL certs, error breakdown; some mirrors had MORE than one error in their cert: 3 - SEC_ERROR_UNKNOWN_ISSUER/The certificate issuer is unknown [1] 2 - The certificate chain uses insecure algorithm (RSA-SHA1) 3 - SEC_ERROR_EXPIRED_CERTIFICATE/The certificate chain uses expired certificate [2] 3 - SSL_ERROR_BAD_CERT_DOMAIN/The name in the certificate does not match the expected. 1 - SEC_ERROR_UNRECOGNIZED_OID [3] [1] SEC_ERROR_UNKNOWN_ISSUER: - self-signed - defunct CA - missing intermediate [2] SEC_ERROR_EXPIRED_CERTIFICATE: Past-expiry ranges 1 month to 4 years ago! [3] SEC_ERROR_UNRECOGNIZED_OID: OpenSSL & GnuTLS handled this cert, but NSS failed on it. -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robb...@gentoo.org <mailto:robb...@gentoo.org> GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
