Bug#880121: marked as done (popularity-contest: popcon-upload should be made to POST over https)
Your message dated Sun, 19 May 2019 22:57:26 +0200
with message-id <20190519205726.yyslbw2jxl5fkmqr@yellowpig>
and subject line Re: Bug#880121: popularity-contest: popcon-upload should be made to POST over https
has caused the Debian Bug report #880121,
regarding popularity-contest: popcon-upload should be made to POST over https
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
880121: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880121
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: popularity-contest: popcon-upload should be made to POST over https
- From: Julien Cristau <jcristau@debian.org>
- Date: Sun, 29 Oct 2017 19:21:27 +0100
- Message-id: <20171029182127.tq6l3czg5borvb6p@betterave.cristau.org>
Package: popularity-contest
Version: 1.64
Severity: normal
User: debian-admin@lists.debian.org
Usertags: needed-by-DSA-Team
X-Debbugs-Cc: debian-admin@lists.debian.org
Hi,
now that https://popcon.debian.org is a thing, we should update the
client to POST on https (without certificate checking if you don't want
to pull in that dependency?). Then eventually, in a few (5+) years,
stop supporting plain http uploads.
Cheers,
Julien
--- End Message ---
--- Begin Message ---
On Sat, May 18, 2019 at 11:00:17AM +0800, Paul Wise wrote:
> On Fri, 2019-05-17 at 17:33 +0900, Marc Dequènes wrote:
>
> > This rational does not stand anymore as now this URL replies with:
> > < HTTP/1.1 302 Found
> > < Location: https://popcon.debian.org/cgi-bin/popcon.cgi
> >
> > I don't know for how long this has been the case but as nobody seemed to
> > have noticed I guess switching to HTTPS would be fine.
>
> The popcon client does not get this redirect:
>
> $ GET -dS http://popcon.debian.org/cgi-bin/popcon.cgi
> GET http://popcon.debian.org/cgi-bin/popcon.cgi
> 302 Found
> GET https://popcon.debian.org/cgi-bin/popcon.cgi
> 200 OK
>
> $ GET -H 'User-Agent: popcon-upload' -dS http://popcon.debian.org/cgi-bin/popcon.cgi
> GET http://popcon.debian.org/cgi-bin/popcon.cgi
> 200 OK
>
> pabs@pinel:~$ grep -C1 popcon-upload /etc/apache2/sites-available/popcon.debian.org
> RewriteEngine on
> RewriteCond "%{HTTP_USER_AGENT}" !popcon-upload
> RewriteRule ^(.*) https://popcon.debian.org$1 [R,L]
Thanks Paul for your explanation! I was going to reply but your answer
is better.
The problem with HTTPS is that it requires the client and server to use
compatible TLS versions. For security reasons, new webservers remove
support for outdated TLS versions. Unfortunately one of the goal of
popcon is to count clients that still use outdated TLS versions, so we
cannot simply ignore them.
I close this bug before it accumulates more spams.
Cheers,
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.
--- End Message ---
Reply to: