Re: How to make apt-transport-https accept security.debian.org bad certificate?

To: debian-user@lists.debian.org
Subject: Re: How to make apt-transport-https accept security.debian.org bad certificate?
From: Michael Jones <mj@mikejonesey.co.uk>
Date: Tue, 20 Oct 2015 09:01:25 +0100
Message-id: <[🔎] 5625F4D5.5060805@mikejonesey.co.uk>
In-reply-to: <[🔎] 562582F7.5030505@yandex.com>
References: <[🔎] 56257986.6030602@yandex.com> <56257EB6.2070707@mikejonesey.co.uk> <[🔎] 562582F7.5030505@yandex.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 20/10/15 00:55, Mario Castelán Castro wrote:
> Are you sure that "/etc/hosts" can be used for that?. As far as I
> know "/etc/hosts" is used to locally assign the IP addresses to
> domain names, for domain name resolution, instead of, or overriding
> the usual DNS resolution procedure.
> 
> I do not understand how I could use /etc/hosts to work around this 
> problem. Suppose I make "security.debian.org" resolve to one of the
> IP addresses of "debian.org". Apt will still "think" that is is
> connecting to "security.debian.org", so there will still be a
> certificate mismatch, plus as an added problem. it is contacting
> the wrong server now.

under a normal situation yes this would work, as you could also update
your apt sources.list to use the "correct" domain name. (by correct
domain, i mean the one in the ssl cert).

however i've had a quick look;

http://security.debian.org/debian-security/dists/jessie/updates/non-free
/binary-i386/Packages.bz2

this is a request from an update, using the same in a web browser but
https does not issue an invalid cert, in actual fact we get a
connection reset.

"The connection to security.debian.org was interrupted while the page
was loading."

testing with openssl;

mike@mike-laptop3:~/git/ssl/src$ openssl s_client -showcerts -connect
security.debian.org:443 </dev/null
CONNECTED(00000003)
140013054264976:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:184:
- ---
no peer certificate available
- ---
No client certificate CA names sent
- ---
SSL handshake has read 0 bytes and written 295 bytes
- ---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
- ---

even with overriding DNS

212.211.132.250	debian.org


this will not work, as the server proving security.debian.org does not
have a valid ssl setup.

So in this case there is not much you can do.


Kind Regards,
Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWJfTQAAoJEOYwtpHNe8FmOJQIALx2lilhkD18Goh1lDstsnJg
Adkffed9QbiEGsT8Xt9nbQZX4lKMHIGn8RY3nIvwiJhFzYamFg2HSBc0Bfn4VP/X
fGbgjLyyZ+OLR838KZQ83sSfW9g99fjyf+HnZytjiVDWd0vYWcRFh0GRfwHG8LSM
/SGxeBPdWzQmmqgOo7zuEwBfH/XAYIaE7l5qnhJxe1lRVEfRMgxIwAEYx1lCHOds
JF2UNHurcTQ5wzos+BjO5e29ZnUdf5pyxT2d6LF3TP+M9g5IHGycCjsdhcgZ0+Uf
zMw1Upn1gDfYIFy4qr9k/1hR3rGwwfQ1z9qmk2EnnOE0xoXhe5GRgY5Q4aEGg3w=
=CDOa
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: How to make apt-transport-https accept security.debian.org bad certificate?
  - From: Michael Jones <mj@mikejonesey.co.uk>

References:
- How to make apt-transport-https accept security.debian.org bad certificate?
  - From: Mario Castelán Castro <marioxcc.MT@yandex.com>
- Re: How to make apt-transport-https accept security.debian.org bad certificate?
  - From: Mario Castelán Castro <marioxcc.MT@yandex.com>

Prev by Date: Re: Nouveau Cache Error
Next by Date: 64bit under 32bit arch
Previous by thread: Re: How to make apt-transport-https accept security.debian.org bad certificate?
Next by thread: Re: How to make apt-transport-https accept security.debian.org bad certificate?
Index(es):
- Date
- Thread