[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to make apt-transport-https accept security.debian.org bad certificate?

El 19/10/15 a las 18:37, Michael Jones escribió:
> perhaps there is also a flag for apt to ignore ssl errors, but
> wouldn't that defeat the purpose of ssl?
Indeed. That is why I asked for an option to accept the bad certificate only (instead of ignoring all TLS errors). 

El 19/10/15 a las 18:37, Michael Jones escribió:
> for untrusted certs (i don't think this is the issue here), you can
> always import these into either the OS, or the application (eg java
> uses jsecerts under lib security).
Right. That don't seems to be the problem. The error message complains that the certificate is invalid for that domain. You can check this with your browser. 

El 19/10/15 a las 18:37, Michael Jones escribió:
> try /etc/hosts if you don't mind mapping the domain (you may not want
> to do this as you won't be able to visit the domain you are re-mapping).
Are you sure that "/etc/hosts" can be used for that?. As far as I know "/etc/hosts" is used to locally assign the IP addresses to domain names, for domain name resolution, instead of, or overriding the usual DNS resolution procedure.
I do not understand how I could use /etc/hosts to work around this problem. Suppose I make "security.debian.org" resolve to one of the IP addresses of "debian.org". Apt will still "think" that is is connecting to "security.debian.org", so there will still be a certificate mismatch, plus as an added problem. it is contacting the wrong server now. 

Regards.

El 19/10/15 a las 18:37, Michael Jones escribió:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 20/10/15 00:15, Mario Castelán Castro wrote:

My question is: How can I make "apt-get" accept the certificate
anyway, but only _this_ certificate or other certificates that are
otherwise valid but have the same subdomain mismatch error (it
should reject a bogus certificate from an attacker)?. In addition,
where is the correct place to report this error?.


as far as i'm aware most applications that connect using ssl won't
accept an invalid cert on the basis of incorrect domain (even if it's
a trusted cert). (like i think the issue is here).

what you could try is an /etc/hosts entry to use the same domain as
the cert (if the server will accept that domain).

for untrusted certs (i don't think this is the issue here), you can
always import these into either the OS, or the application (eg java
uses jsecerts under lib security).

perhaps there is also a flag for apt to ignore ssl errors, but
wouldn't that defeat the purpose of ssl?

try /etc/hosts if you don't mind mapping the domain (you may not want
to do this as you won't be able to visit the domain you are re-mapping).

Kind Regards,
Mike

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWJX6xAAoJEOYwtpHNe8FmjV0H/iO25LwLCOZUIYbQU8tWf96E
+fxBft9w6wrlOQOqHDseZ5wZeE2PrXIS80FbnTZQKfEftEx05d87+M+blfVo6DTi
NH19lzNKtG3YTSE2WoSBMo5NzIOgTP/EGry4EM2Ab92ORkTu/P6GQ+qJePA2BUcm
br6Q6IN8bCvIu10I296Uxby+7+FmO0ovL7IEzJiUNRpId7crAcoHkaICfGEk5GlP
doqdBmx1J8kMFW7zwRIbeH9c8luZA7b+KJAkwF7ev3DO39BvxNa6xb0rqT62FbXh
TzGA6vJQ2C1AyNu0cK2YuzUCevAOceeYOcV9B5gg7L+0zzN5btOLhgWaxLez6Uo=
=z67Q
-----END PGP SIGNATURE-----
Reply to: