-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 20/10/15 00:55, Mario Castelán Castro wrote: > Are you sure that "/etc/hosts" can be used for that?. As far as I > know "/etc/hosts" is used to locally assign the IP addresses to > domain names, for domain name resolution, instead of, or overriding > the usual DNS resolution procedure. > > I do not understand how I could use /etc/hosts to work around this > problem. Suppose I make "security.debian.org" resolve to one of the > IP addresses of "debian.org". Apt will still "think" that is is > connecting to "security.debian.org", so there will still be a > certificate mismatch, plus as an added problem. it is contacting > the wrong server now.
under a normal situation yes this would work, as you could also update your apt sources.list to use the "correct" domain name. (by correct domain, i mean the one in the ssl cert). however i've had a quick look; http://security.debian.org/debian-security/dists/jessie/updates/non-free /binary-i386/Packages.bz2 this is a request from an update, using the same in a web browser but https does not issue an invalid cert, in actual fact we get a connection reset. "The connection to security.debian.org was interrupted while the page was loading." testing with openssl; mike@mike-laptop3:~/git/ssl/src$ openssl s_client -showcerts -connect security.debian.org:443 </dev/null CONNECTED(00000003) 140013054264976:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: - --- no peer certificate available - --- No client certificate CA names sent - --- SSL handshake has read 0 bytes and written 295 bytes - --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE - --- even with overriding DNS 212.211.132.250 debian.org this will not work, as the server proving security.debian.org does not have a valid ssl setup. So in this case there is not much you can do. Kind Regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWJfTQAAoJEOYwtpHNe8FmOJQIALx2lilhkD18Goh1lDstsnJg Adkffed9QbiEGsT8Xt9nbQZX4lKMHIGn8RY3nIvwiJhFzYamFg2HSBc0Bfn4VP/X fGbgjLyyZ+OLR838KZQ83sSfW9g99fjyf+HnZytjiVDWd0vYWcRFh0GRfwHG8LSM /SGxeBPdWzQmmqgOo7zuEwBfH/XAYIaE7l5qnhJxe1lRVEfRMgxIwAEYx1lCHOds JF2UNHurcTQ5wzos+BjO5e29ZnUdf5pyxT2d6LF3TP+M9g5IHGycCjsdhcgZ0+Uf zMw1Upn1gDfYIFy4qr9k/1hR3rGwwfQ1z9qmk2EnnOE0xoXhe5GRgY5Q4aEGg3w= =CDOa -----END PGP SIGNATURE-----
