[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#27437: Source downloader accepts X.509 certificate for incorrect dom
|
From: |
Leo Famulari |
|
Subject: |
bug#27437: Source downloader accepts X.509 certificate for incorrect domain |
|
Date: |
Wed, 21 Jun 2017 02:17:52 -0400 |
|
User-agent: |
Mutt/1.8.3 (2017-05-23) |
While working on some package updates, I found that the source code
downloader will accept an X.509 certificate for an incorrect site.
Here is what happens:
------
$ ./pre-inst-env guix build -S opus-tools --check
@ build-started
/gnu/store/nn93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.1.10.tar.gz.drv -
x86_64-linux
/var/log/guix/drvs/nn//93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.1.10.tar.gz.drv.bz2
Starting download of
/gnu/store/0js62s7pz9gfcdsd1n764w91mhhwkws4-opus-tools-0.1.10.tar.gz
From https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz...
….1.10.tar.gz 305KiB 822KiB/s 00:00 [####################] 100.0%
warning: rewriting hashes in
`/gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz'; cross
fingers
/gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz
------
Here is an example of what I think should happen in this case:
------
$ curl https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz
curl: (51) SSL: certificate subject name (osuosl.org) does not match target
host name 'downloads.xiph.org'
------
And this is what Firefox says:
------
downloads.xiph.org uses an invalid security certificate.
The certificate is only valid for the following names:
osuosl.org, *.osuosl.org
Error code: SSL_ERROR_BAD_CERT_DOMAIN
------
signature.asc
Description: PGP signature