Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 553882 - distfiles.gentoo.org rotation member runs misconfigured HTTPS
Summary: distfiles.gentoo.org rotation member runs misconfigured HTTPS
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Other web server issues (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
: 705952 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-07-03 23:30 UTC by Sebastian Pipping
Modified: 2021-01-04 02:37 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Pipping gentoo-dev 2015-07-03 23:30:54 UTC
Please install a valid certificate to protect users of software that is

 * relying on content of unsigend latest-* file content or

 * analysing the directory listing
   (e.g. for determining latest/available content by themselves)

from

 * rollback attacks and

 * indefinite freeze attacks

through means of man-in-the-middle attacks.


Firefox is saying:

distfiles.gentoo.org uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The certificate is not valid for any server names. The certificate expired on 17.03.2012 12:20. The current time is 04.07.2015 01:21.


Many thanks!
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2015-07-04 00:38:46 UTC
We do not run distfiles.g.o ourselves; that's done by sponsors.
I wasn't aware any of the IPs even supported HTTPS.

I checked all 5 IPs:
distfiles.gentoo.org.	7200	IN	A	156.56.247.195
distfiles.gentoo.org.	7200	IN	A	216.165.129.135
distfiles.gentoo.org.	7200	IN	A	137.226.34.42
distfiles.gentoo.org.	7200	IN	A	140.211.166.134
distfiles.gentoo.org.	7200	IN	A	64.50.236.52

Only 156.56.247.195, which is run by IU, actually supports HTTPS, and gives that expired certificate.

Given that right now would be a major security problem to give each mirror an SSL certificate that runs a distfiles, i'm going to ask IU to disable HTTPS on their mirror for now.

Later on, we will have to re-evaluate this, but it will probably be converting distfiles.g.o to a redirection service, and serving a much-limited set of results for HTTPS queries.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2018-12-10 07:10:41 UTC
Closing old bugs out.

SSL is available via bouncer redirection at this time:
https://bouncer.gentoo.org/fetch/distfiles/all/
(append the file you want on the end)
Comment 3 Thomas Deutschmann gentoo-dev 2021-01-04 02:37:51 UTC
*** Bug 705952 has been marked as a duplicate of this bug. ***