Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 553882

Summary: distfiles.gentoo.org rotation member runs misconfigured HTTPS
Product: Gentoo Infrastructure Reporter: Sebastian Pipping <sping>
Component: Other web server issuesAssignee: Gentoo Infrastructure <infra-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: gentoobugs, whissi, xdch47
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Sebastian Pipping gentoo-dev 2015-07-03 23:30:54 UTC
Please install a valid certificate to protect users of software that is

 * relying on content of unsigend latest-* file content or

 * analysing the directory listing
   (e.g. for determining latest/available content by themselves)

from

 * rollback attacks and

 * indefinite freeze attacks

through means of man-in-the-middle attacks.


Firefox is saying:

distfiles.gentoo.org uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The certificate is not valid for any server names. The certificate expired on 17.03.2012 12:20. The current time is 04.07.2015 01:21.


Many thanks!
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2015-07-04 00:38:46 UTC
We do not run distfiles.g.o ourselves; that's done by sponsors.
I wasn't aware any of the IPs even supported HTTPS.

I checked all 5 IPs:
distfiles.gentoo.org.	7200	IN	A	156.56.247.195
distfiles.gentoo.org.	7200	IN	A	216.165.129.135
distfiles.gentoo.org.	7200	IN	A	137.226.34.42
distfiles.gentoo.org.	7200	IN	A	140.211.166.134
distfiles.gentoo.org.	7200	IN	A	64.50.236.52

Only 156.56.247.195, which is run by IU, actually supports HTTPS, and gives that expired certificate.

Given that right now would be a major security problem to give each mirror an SSL certificate that runs a distfiles, i'm going to ask IU to disable HTTPS on their mirror for now.

Later on, we will have to re-evaluate this, but it will probably be converting distfiles.g.o to a redirection service, and serving a much-limited set of results for HTTPS queries.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2018-12-10 07:10:41 UTC
Closing old bugs out.

SSL is available via bouncer redirection at this time:
https://bouncer.gentoo.org/fetch/distfiles/all/
(append the file you want on the end)
Comment 3 Thomas Deutschmann gentoo-dev 2021-01-04 02:37:51 UTC
*** Bug 705952 has been marked as a duplicate of this bug. ***