Return-Path: X-Original-To: apmail-httpd-docs-archive@www.apache.org Delivered-To: apmail-httpd-docs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2195B181DA for ; Tue, 19 Jan 2016 23:12:54 +0000 (UTC) Received: (qmail 44234 invoked by uid 500); 19 Jan 2016 23:12:49 -0000 Delivered-To: apmail-httpd-docs-archive@httpd.apache.org Received: (qmail 44176 invoked by uid 500); 19 Jan 2016 23:12:48 -0000 Mailing-List: contact docs-help@httpd.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: docs@httpd.apache.org List-Id: Delivered-To: mailing list docs@httpd.apache.org Received: (qmail 44166 invoked by uid 99); 19 Jan 2016 23:12:48 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Jan 2016 23:12:48 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 3A4A7C32C2 for ; Tue, 19 Jan 2016 23:12:48 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.1 X-Spam-Level: X-Spam-Status: No, score=-0.1 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=blenning.no Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id h6i63vucPqi6 for ; Tue, 19 Jan 2016 23:12:40 +0000 (UTC) Received: from smtp.interhost.no (smtp.interhost.no [80.239.54.106]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id E6A71203BE for ; Tue, 19 Jan 2016 23:12:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=blenning.no; s=ihs20140902; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=RJh1M3XLeCoBltI+cZiKn/4axzB323K7guOn/2YwqQ0=; b=pdp53GX+JdEfmbu04RuTK27OEaA2lmIYxCpCTsjYDrMVrbsHJhDJAvCGrzyiCNoaRoSvp6z3x9ki804HCCoW+X7jYL5ECnkqHl73DQwRNB9jdwWR6JTqL8HbfkgKB8dB8YHS9OuIIqdE6AXKJocuJ8pz/hdwnN6lQ90eoMICT3DLR5ZVVCOYn+xrgQX2/2Z+HUi2TmFOgFqpuOtVWjX6D+WXOoCDUW25s3FExTScfgWJyUa47DEBlxLGnO9XXiYZse8Xs9dWUt+Tmv0y/K+H+iAMOk9XOlqCvPMacUc8br8Snm3DN4ba81EfjTI1Kd39rhBX2jSihHRe/md+9YQ8+Q==; Received: from [84.215.146.232] (helo=Toms-MacBook-Air.local) by smtp.interhost.no with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from ) id 1aLfRv-0005OW-Mo for docs@httpd.apache.org; Wed, 20 Jan 2016 00:12:31 +0100 Subject: Re: [Bug 55808] File integrity verification using MD5 and SHA1 To: docs@httpd.apache.org References: <5696D835.5050904@blenning.no> From: Tom Fredrik Blenning Klaussen Message-ID: <569EC2DD.5080307@blenning.no> Date: Wed, 20 Jan 2016 00:12:29 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 14/01/16 00:50, Yann Ylavic wrote: > On Thu, Jan 14, 2016 at 12:05 AM, Tom Fredrik Blenning Klaussen > wrote: >> >> >> On 13/01/16 23:56, bugzilla@apache.org wrote: >>>> >>>> It just so happens that the https addresses do not have a >>>> valid security certificate which is a second bug. >>> >>> Could you elaborate? No alert when I access >>> https://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1 >>> from here. >> >> So I start out at https://httpd.apache.org/download.cgi >> >> The two relevant links from this page are: >> http://www.eu.apache.org/dist//httpd/httpd-2.4.18.tar.bz2 >> http://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1 >> >> Obviously both are http addresses, so that's the first error >> when linked from https. > > My firefox does not warn in this case (this is a different domain) > but nevermind. Wherever the tarball comes from, it has to be > checked against the digests from https://httpd.apache.org/dist/ for > any trust to be possible (this is less/not a requirement for PGP > though, the trust is more on the signer). Even if you change the > mirror on the /dowwload.cgi page, the links to the digests remain > the same. > >> >> Replacing http with https for both links works, but for the >> former: >> https://www.eu.apache.org/dist//httpd/httpd-2.4.18.tar.bz2 >> >> there is a certificate error. Firefox: (Error code: >> ssl_error_bad_cert_domain) > > That could be addressed by the infra team, but I guess it does not > matter too much, it's a backup host (note that the certificate is > the same as for httpd.apache.org, i.e. *.apache.org). Did you file any bug about this? How do I address the infra team? --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org For additional commands, e-mail: docs-help@httpd.apache.org