Hi,The entry for security.debian.org in /etc/apt/sources.list contains these two rows, which use plain HTTP and not HTTPS for getting the Debian security updates:
deb http://security.debian.org/debian-security bullseye-security main deb-src http://security.debian.org/debian-security bullseye-security mainIf I set the source to HTTPS, all following apt-updates will fail with 'Connection refused'. I also checked the transfer via wireshark, and as expected the communication happens on Port 80.
All the other repository settings for Debian - such as getting the packages for a given release - are still set to use HTTP in default, but at least if I change them to HTTPS, then the communication works and uses TLS.
deb http://deb.debian.org/debian/ bullseye main deb-src http://deb.debian.org/debian/ bullseye main I'm using apt v.2.1.11, with the apt-transport-https package included.Does security.debian.org indeed serve only on Port 80? Wouldn't that pose a security issue?
Best regards, Szilárd Andai-- PGP fingerprint: 9CD5 AC2C ED73 C289 0506 63AC 9201 C86E 6D61 34B6
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature