Bug#802539: closed by Julien Cristau (Re: Bug#802539: Please properly configure HTTPS in security.debian.org)

2023-09-02 Thread Mario Xerxes Castelán Castro «Ksenia» 
I filled this bug when I was a kid. In the time it took you to do 
anything about this, I became an adult. You suck.

Bug#802539: Please properly configure HTTPS in security.debian.org

2019-03-27 Thread Pedro Ribeiro 

Package: security.debian.org Followup-For: Bug #802539

Bug#802539: Please properly configure HTTPS in security.debian.org

2018-12-23 Thread Brian Minton 
Package: security.debian.org
Followup-For: Bug #802539

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear Maintainer,

I've also seen this error via ipv6:

# curl -Iv https://security.debian.org
*   Trying 2001:4f8:1:c::14...
* TCP_NODELAY set
* Connected to security.debian.org (2001:4f8:1:c::14) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
  * TLSv1.3 (OUT), TLS handshake, Client hello (1):
  * TLSv1.3 (IN), TLS handshake, Server hello (2):
  * TLSv1.2 (IN), TLS handshake, Certificate (11):
  * TLSv1.2 (OUT), TLS alert, unknown CA (560):
  * SSL certificate problem: self signed certificate in certificate
  * chain
  * Closing connection 0
  curl: (60) SSL certificate problem: self signed certificate in
  certificate chain
  More details here: https://curl.haxx.se/docs/sslcerts.html

  curl failed to verify the legitimacy of the server and therefore could
  not
  establish a secure connection to it. To learn more about this
  situation and
  how to fix it, please visit the web page mentioned above.

This should probably go to debian-...@lists.debian.org too.

- -- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-3-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQT5xLt2Dng/DewQpoprjrOgZc+6qQUCXCBJiAAKCRBrjrOgZc+6
qWECAP0ekr+Kcj2byMmpGuLL1y7C/LyCGBR82p/XKF4XVYs7bQD7BOnG5XdBrBkr
2atOmYq03M1D+f0D/65yA4nGQ3dg+O2IdQQBFggAHRYhBO7QFYAT3C5tbgAepDe5
UHrP8gFuBQJcIEmQAAoJEDe5UHrP8gFuf2cBAKGwzY9k6dsRusmrWnez7jOvHo66
Og2Z7uO8KJ1FJvTqAP9r7jn8zvrzpbcUmtd9tJLwH5aprmGe88PQpVMAJ5g0CA==
=dFKz
-END PGP SIGNATURE-

Bug#802539: Please properly configure HTTPS in security.debian.org

2015-10-20 Thread Mario Castelán Castro 

Package: security.debian.org

I intend to use a secure connection (that means at the transport level) 
for downloading packages and lists from the Debian repository. I 
installed apt-transport-https. There are mirrors that accept HTTPS 
(though there don't seems to be a list yet, they are listed along with 
the mirrors that don't). I configured one of them in my source.list


The problem hereby reported is that the repository for security updates 
(security.debian.org) sometimes provides a bad HTTPS certificate and 
sometimes refuses connections (TCP reset); it seems to depend on the 
rotation of the IP addresses that security.debian.org resolve to. This 
problem makes "apt-get update" fail when using HTTPS to access the 
security upgrades repository; sometimes it hangs, sometimes it gives a 
message error reporting the domain mismatch in the certificate:


-BEGIN PASTED TEXT
Err https://security.debian.org wheezy/updates/main Sources
  SSL: certificate subject name (debian.org) does not match target host 
name 'security.debian.org'

Err https://security.debian.org wheezy/updates/main amd64 Packages
  SSL: certificate subject name (debian.org) does not match target host 
name 'security.debian.org'

Fetched 7637 kB in 33s (231 kB/s)
W: Failed to fetch 
https://security.debian.org/dists/wheezy/updates/main/source/Sources 
SSL: certificate subject name (debian.org) does not match target host 
name 'security.debian.org'


W: Failed to fetch 
https://security.debian.org/dists/wheezy/updates/main/binary-amd64/Packages 
 SSL: certificate subject name (debian.org) does not match target host 
name 'security.debian.org'


E: Some index files failed to download. They have been ignored, or old 
ones used instead.

-END PASTED TEXT

I have asked for help in the debian-u...@lists.debian.org mailing list 
. An user 
suggested a possible workaround, but as he also noted, actually it don't 
works because the TLS configuration of security.debian.org is broken 
beyond the domain mismatch 
, 
.


Regards.