httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Fredrik Blenning Klaussen <>
Subject Re: [Bug 55808] File integrity verification using MD5 and SHA1
Date Thu, 14 Jan 2016 00:05:11 GMT

On 14/01/16 00:50, Yann Ylavic wrote:
> On Thu, Jan 14, 2016 at 12:05 AM, Tom Fredrik Blenning Klaussen 
> <> wrote:
>> On 13/01/16 23:56, wrote:
>>> --- Comment #9 from Yann Ylavic <> ---
>>>> (In reply to Tom Fredrik Blenning from comment #7) Both the
>>>> SHA-1 checksums and the download are linked to http 
>>>> addresses, but the equivalent https addresses are available.
>>> No digest/signature is "linked" to any address, to the tarball 
>>> only.
> Right, I misinterpreted what you mean by "linked".
>>>> It just so happens that the https addresses do not have a
>>>> valid security certificate which is a second bug.
>>> Could you elaborate? No alert when I access 
>>> from here.
>> So I start out at
>> The two relevant links from this page are: 
>> Obviously both are http addresses, so that's the first error
>> when linked from https.
> My firefox does not warn in this case (this is a different domain)
> but nevermind.

I'm using firefox 43.0.4

> Wherever the tarball comes from, it has to be checked against the 
> digests from for any trust to be 
> possible (this is less/not a requirement for PGP though, the trust
> is more on the signer). Even if you change the mirror on the
> /dowwload.cgi page, the links to the digests remain the same.

The link:

does not exist anywhere on

nor does
I've searched the source.
The problem is that every single link on this https page is to a http
page. If this is a shared source, for the http and https versions,
which I suspect it it, this could be fixed by making the href for
instance to

>> Replacing http with https for both links works, but for the
>> former: 
>> there is a certificate error. Firefox: (Error code: 
>> ssl_error_bad_cert_domain)
> That could be addressed by the infra team, but I guess it does not 
> matter too much, it's a backup host (note that the certificate is
> the same as for, i.e. *

I think that's the problem, as I understand it, the certificate would
have to be *.*, in order to cover, but
I'm no expert in the finer details of certificate management.

Please see the link
to verify the problem.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message