httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Fredrik Blenning Klaussen <...@blenning.no>
Subject Re: [Bug 55808] File integrity verification using MD5 and SHA1
Date Thu, 14 Jan 2016 00:05:11 GMT


On 14/01/16 00:50, Yann Ylavic wrote:
> On Thu, Jan 14, 2016 at 12:05 AM, Tom Fredrik Blenning Klaussen 
> <bfg@blenning.no> wrote:
>> 
>> 
>> On 13/01/16 23:56, bugzilla@apache.org wrote:
>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=55808
>>> 
>>> --- Comment #9 from Yann Ylavic <ylavic.dev@gmail.com> ---
>>>> (In reply to Tom Fredrik Blenning from comment #7) Both the
>>>> SHA-1 checksums and the download are linked to http 
>>>> addresses, but the equivalent https addresses are available.
>>> 
>>> No digest/signature is "linked" to any address, to the tarball 
>>> only.
>> 
>> http://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1
> 
> Right, I misinterpreted what you mean by "linked".
> 
>> 
>>>> 
>>>> It just so happens that the https addresses do not have a
>>>> valid security certificate which is a second bug.
>>> 
>>> Could you elaborate? No alert when I access 
>>> https://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1
>>> from here.
>> 
>> So I start out at https://httpd.apache.org/download.cgi
>> 
>> The two relevant links from this page are: 
>> http://www.eu.apache.org/dist//httpd/httpd-2.4.18.tar.bz2 
>> http://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1
>> 
>> Obviously both are http addresses, so that's the first error
>> when linked from https.
> 
> My firefox does not warn in this case (this is a different domain)
> but nevermind.

I'm using firefox 43.0.4

> Wherever the tarball comes from, it has to be checked against the 
> digests from https://httpd.apache.org/dist/ for any trust to be 
> possible (this is less/not a requirement for PGP though, the trust
> is more on the signer). Even if you change the mirror on the
> /dowwload.cgi page, the links to the digests remain the same.

The link:
https://httpd.apache.org/dist/

does not exist anywhere on https://httpd.apache.org/download.cgi

nor does http://httpd.apache.org/dist/
I've searched the source.
The problem is that every single link on this https page is to a http
page. If this is a shared source, for the http and https versions,
which I suspect it it, this could be fixed by making the href for
instance to
//httpd.apache.org/dist/


>> 
>> Replacing http with https for both links works, but for the
>> former: 
>> https://www.eu.apache.org/dist//httpd/httpd-2.4.18.tar.bz2
>> 
>> there is a certificate error. Firefox: (Error code: 
>> ssl_error_bad_cert_domain)
> 
> That could be addressed by the infra team, but I guess it does not 
> matter too much, it's a backup host (note that the certificate is
> the same as for httpd.apache.org, i.e. *.apache.org).

I think that's the problem, as I understand it, the certificate would
have to be *.*.apache.org, in order to cover www.eu.apache.org, but
I'm no expert in the finer details of certificate management.

Please see the link
https://www.sslshopper.com/ssl-checker.html#hostname=www.eu.apache.org
to verify the problem.


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message