On Thu, Jan 14, 2016 at 12:05 AM, Tom Fredrik Blenning Klaussen <b...@blenning.no> wrote: > > > On 13/01/16 23:56, bugzi...@apache.org wrote: >> https://bz.apache.org/bugzilla/show_bug.cgi?id=55808 >> >> --- Comment #9 from Yann Ylavic <ylavic....@gmail.com> --- >>> (In reply to Tom Fredrik Blenning from comment #7) >>> Both the SHA-1 checksums and the download are linked to http >>> addresses, but the equivalent https addresses are available. >> >> No digest/signature is "linked" to any address, to the tarball >> only. > > http://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1
Right, I misinterpreted what you mean by "linked". > >>> >>> It just so happens that the https addresses do not have a valid >>> security certificate which is a second bug. >> >> Could you elaborate? No alert when I access >> https://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1 from >> here. > > So I start out at https://httpd.apache.org/download.cgi > > The two relevant links from this page are: > http://www.eu.apache.org/dist//httpd/httpd-2.4.18.tar.bz2 > http://www.apache.org/dist/httpd/httpd-2.4.18.tar.bz2.sha1 > > Obviously both are http addresses, so that's the first error when > linked from https. My firefox does not warn in this case (this is a different domain) but nevermind. Wherever the tarball comes from, it has to be checked against the digests from https://httpd.apache.org/dist/ for any trust to be possible (this is less/not a requirement for PGP though, the trust is more on the signer). Even if you change the mirror on the /dowwload.cgi page, the links to the digests remain the same. > > Replacing http with https for both links works, but for the former: > https://www.eu.apache.org/dist//httpd/httpd-2.4.18.tar.bz2 > > there is a certificate error. Firefox: (Error code: > ssl_error_bad_cert_domain) That could be addressed by the infra team, but I guess it does not matter too much, it's a backup host (note that the certificate is the same as for httpd.apache.org, i.e. *.apache.org). Regards, Yann. --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
