I installed `apt-transport-https` and changed all the links in `/etc/apt/sources.list` and I got a bunch of these: `server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none`
Huh? But it’s true. Visiting `https://security.debian.org/dists/jessie/updates/contrib/binary-amd64/Packages` gives me a warning. I have the `ca-certificates` package installed, so I guess either this is a man-in-the-middle attack, or the certificates for the Debian HTTPS sites are not packaged with `ca-certificates`, both of which are not good.
I fiddled with the hostnames and changed ftp.debian.org to ftp.ch.debian.org and now I get a different message: *W: Failed to fetch `https://ftp.ch.debian.org/debian/dists/jessie/main/binary-amd64/Packages` SSL: certificate subject name (plattenberg.ethz.ch) does not match target host name ’ftp.ch.debian.org’*
This makes sense. I changed the hostnames in `sources.list` to `plattenberg.ethz.ch` and that worked, partly. The `security.debian.org` still doesn’t work.
When I checked plattenberg itself, though, they say: “If you prefer to access this Debian mirror via HTTPS, please replace `https://ftp.ch.debian.org/` by `https://debian.ethz.ch/` in your sources.list file.” OK, then!
# ftp.ch.debian.org -> plattenberg.ethz.ch deb https://debian.ethz.ch/debian jessie main contrib non-free deb https://debian.ethz.ch/debian jessie-updates main contrib non-free deb http://security.debian.org jessie/updates main contrib non-free
And it also has an “Unofficial Mirror of the Debian Security APT repository”. And: “Use at your own risk!” I guess not. So the above mix of HTTPS and HTTP is going to be it. Hmmmm.
(Please contact me if you want to remove your comment.)
⁂
I have
deb https://deb.debian.org/debian/ sid main contrib non-free deb-src https://deb.debian.org/debian/ sid main contrib non-free
in my `sources.list`. It seems to be a CNAME to `https://cdn-aws.deb.debian.org`.
– AlokSingh 2017-11-23 02:16 UTC
---
I’m trying to remember what I actually tried to write. I think I wanted to say that I had found a HTTPS mirror for the regular stuff but not for the security stuff. You don’t have `security.debian.org` in your sources list?
– Alex 2017-11-23 06:29 UTC
---
What you say about security.d.o seems to be a known problem with no fix.
– AlokSingh 2017-11-23 09:26 UTC
---
Indeed. 🙁
– Alex 2017-11-23 09:36 UTC
---
I’m going back to `http`. `https` is about 3× slower and the package signing is strong enough for me.
– AlokSingh 2017-11-28 10:10 UTC
---
How strange. The HTTP vs. HTTPS site illustrates that the problem must lie elsewhere. Perhaps apt results in a usage pattern that penalizes HTTPS. The connection is not reused and thus the SSL handshake is necessary for every package, perhaps? I did not investigate.
As for security, the discussion on StackExchange links to a possible attack. Wheee!
– Alex 2017-11-28 11:49 UTC