httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Fredrik Blenning Klaussen <...@blenning.no>
Subject Re: [Bug 55808] File integrity verification using MD5 and SHA1
Date Tue, 19 Jan 2016 23:12:29 GMT


On 14/01/16 00:50, Yann Ylavic wrote:
> On Thu, Jan 14, 2016 at 12:05 AM, Tom Fredrik Blenning Klaussen 
> <bfg@blenning.no> wrote:
>> 
>> 
>> On 13/01/16 23:56, bugzilla@apache.org wrote:
>>>> 
>>>> It just so happens that the https addresses do not have a
>>>> valid security certificate which is a second bug.
>>> 
>>> Could you elaborate? No alert when I access 
>>> https://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1
>>> from here.
>> 
>> So I start out at https://httpd.apache.org/download.cgi
>> 
>> The two relevant links from this page are: 
>> http://www.eu.apache.org/dist//httpd/httpd-2.4.18.tar.bz2 
>> http://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1
>> 
>> Obviously both are http addresses, so that's the first error
>> when linked from https.
> 
> My firefox does not warn in this case (this is a different domain)
> but nevermind. Wherever the tarball comes from, it has to be
> checked against the digests from https://httpd.apache.org/dist/ for
> any trust to be possible (this is less/not a requirement for PGP
> though, the trust is more on the signer). Even if you change the
> mirror on the /dowwload.cgi page, the links to the digests remain
> the same.
> 
>> 
>> Replacing http with https for both links works, but for the
>> former: 
>> https://www.eu.apache.org/dist//httpd/httpd-2.4.18.tar.bz2
>> 
>> there is a certificate error. Firefox: (Error code: 
>> ssl_error_bad_cert_domain)
> 
> That could be addressed by the infra team, but I guess it does not 
> matter too much, it's a backup host (note that the certificate is
> the same as for httpd.apache.org, i.e. *.apache.org).

Did you file any bug about this?
How do I address the infra team?

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message