Re: How to make apt-transport-https accept security.debian.org bad certificate?

To: debian-user@lists.debian.org
Subject: Re: How to make apt-transport-https accept security.debian.org bad certificate?
From: Mario Castelán Castro <marioxcc.MT@yandex.com>
Date: Tue, 20 Oct 2015 16:23:46 -0500
Message-id: <[🔎] 5626B0E2.4020807@yandex.com>
In-reply-to: <[🔎] 5626A5FF.6040703@mikejonesey.co.uk>
References: <[🔎] 56257986.6030602@yandex.com> <56257EB6.2070707@mikejonesey.co.uk> <[🔎] 562582F7.5030505@yandex.com> <[🔎] 5625F4D5.5060805@mikejonesey.co.uk> <[🔎] 5625F5EF.6040008@mikejonesey.co.uk> <[🔎] 5626A5FF.6040703@mikejonesey.co.uk>

Thanks you.

I reported the problem as a bug against pseudopackage "debian-security"<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802539>.

I get a different set of IP addresses for security.debian.org; there maybe some geographically dependent load balancing:


-----BEGIN PASTED TEXT-----
$ host security.debian.org
security.debian.org has address 128.31.0.63
security.debian.org has address 128.61.240.73
security.debian.org has address 149.20.20.6
security.debian.org has IPv6 address 2610:148:1f10:3::73
security.debian.org has IPv6 address 2001:4f8:8:36::6
security.debian.org mail is handled by 10 muffat.debian.org.
security.debian.org mail is handled by 10 mailly.debian.org.
-----END PASTED TEXT-----

I also tested with wget; of these addresses, only 128.31.0.63 supportsHTTPS and has a bad certificate. The output is in Spanish; and it says that:


-----BEGIN PASTED TEXT-----

$ LANG= wgethttps://security.debian.org/dists/wheezy/updates/main/source/Sources--2015-10-20 16:10:55--https://security.debian.org/dists/wheezy/updates/main/source/SourcesResolving security.debian.org (security.debian.org)... 128.61.240.73,149.20.20.6, 128.31.0.63, ...Connecting to security.debian.org(security.debian.org)|128.61.240.73|:443... failed: Connection refused.Connecting to security.debian.org(security.debian.org)|149.20.20.6|:443... failed: Connection refused.Connecting to security.debian.org(security.debian.org)|128.31.0.63|:443... connected.

The certificate's owner does not match hostname `security.debian.org'
-----END PASTED TEXT-----

AFAIK security.debian.org has no official mirrors because the Debianproject don't trusts mirrors to offer timely updates. I do not know ofan unofficial mirror.


Regards and thanks.

El 20/10/15 a las 15:37, Michael Jones escribió:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 20/10/15 09:06, Michael Jones wrote:

On 20/10/15 09:01, Michael Jones wrote:

no peer certificate available

correction, needed sni, will re-test

mike@mike-laptop3:~$ openssl s_client -showcerts -connect
debian.org:443 -servername security.debian.org  </dev/null
CONNECTED(00000003) depth=2 C = US, ST = New Jersey, L = Jersey
City, O = The USERTRUST Network, CN = USERTrust RSA Certification
Authority verify error:num=20:unable to get local issuer
certificate verify return:0


back home now, had another look, ssl is not available on the server
security.debian.org, so you won't be able to change the protocol to
https. If for whatever reason you wanted ssl, you could either have an
ssl proxy or a mirror that provided ssl.

mike@mike-laptop3:~$ wget
"https://security.debian.org/debian-security/dists/jessie/updates/non-fr
ee/binary-i386/Packages.bz2"
- --2015-10-20 21:35:34--
https://security.debian.org/debian-security/dists/jessie/updates/non-fre
e/binary-i386/Packages.bz2
Resolving security.debian.org (security.debian.org)... 195.20.242.89,
212.211.132.32, 212.211.132.250, ...
Connecting to security.debian.org
(security.debian.org)|195.20.242.89|:443... failed: Connection refused.
Connecting to security.debian.org
(security.debian.org)|212.211.132.32|:443... failed: Connection refused.
Connecting to security.debian.org
(security.debian.org)|212.211.132.250|:443... failed: Connection refused
.
Connecting to security.debian.org
(security.debian.org)|2001:a78:5:1:216:35ff:fe7f:6ceb|:443... failed:
Network is unreachable.
Connecting to security.debian.org
(security.debian.org)|2001:a78:5:0:216:35ff:fe7f:be4f|:443... failed:
Network is unreachable.

mike@mike-laptop3:~$ openssl s_client -showcerts -connect
security.debian.org:443 -servername apache.org  </dev/null
connect: Connection refused
connect:errno=111

mike@mike-laptop3:~$ nmap security.debian.org -Pn -p 443 2>&1 | grep 443
443/tcp closed https

Kind Regards,
Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWJqX5AAoJEOYwtpHNe8FmaLkH/3PjtG7fEUmm5iHemoplpgA6
2V0LRxeyT/mJhyB0DKV9snhqOjDNMwDhgUMF/uj6S5TpVasHg+H6fR5vjzSHR4Q/
tcs3zEhPnZTQOrED1KB37P716zDtYScsxqZDwqnSHEi/JAeX3k54OZmPuPACMnvh
L5fLs0KtpMa038zeoncsOMBhnV8yvJDX2Tms08einKnGRahEXwhBZ/myb996sDqu
td1OgrlTZjNYcexee0bEGZAa8BqKAugDhO/FQJrgJpff/5KtbzosHMKyXk86DPxK
fRaDplZLix8SnyFWc7qY+o+Jly61h0WyZ/PeY17qVa9A7yYvVEkLOoXkiyx3UyE=
=gIdP
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: How to make apt-transport-https accept security.debian.org bad certificate?
  - From: Mario Castelán Castro <marioxcc.MT@yandex.com>

References:
- How to make apt-transport-https accept security.debian.org bad certificate?
  - From: Mario Castelán Castro <marioxcc.MT@yandex.com>
- Re: How to make apt-transport-https accept security.debian.org bad certificate?
  - From: Mario Castelán Castro <marioxcc.MT@yandex.com>
- Re: How to make apt-transport-https accept security.debian.org bad certificate?
  - From: Michael Jones <mj@mikejonesey.co.uk>
- Re: How to make apt-transport-https accept security.debian.org bad certificate?
  - From: Michael Jones <mj@mikejonesey.co.uk>
- Re: How to make apt-transport-https accept security.debian.org bad certificate?
  - From: Michael Jones <mj@mikejonesey.co.uk>

Prev by Date: Re: How to make apt-transport-https accept security.debian.org bad certificate?
Next by Date: Re: Reinstall Stretch - Returns to Grub
Previous by thread: Re: How to make apt-transport-https accept security.debian.org bad certificate?
Next by thread: Re: How to make apt-transport-https accept security.debian.org bad certificate?
Index(es):
- Date
- Thread