Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Can we use HTTPS for repos?

  1. #1

    Question Can we use HTTPS for repos?

    I notice that download.opensuse.org can be accessed both via http and https but I wonder if it would be safe/recommended to switch to https URLs long term?

  2. #2
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    19,845
    Blog Entries
    14

    Default Re: Can we use HTTPS for repos?

    Quote Originally Posted by heyjoe View Post
    I notice that download.opensuse.org can be accessed both via http and https but I wonder if it would be safe/recommended to switch to https URLs long term?
    What happens if you try changing the URL for one of your repos?
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  3. #3
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,273
    Blog Entries
    2

    Default Re: Can we use HTTPS for repos?

    I can't think of a reason why https support would be dropped.
    If you want to, inspect the ssl certificate for the expiration date, which would establish at least a likely minimum even if the certificate wasn't renewed/re-issued.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  4. #4

    Default Re: Can we use HTTPS for repos?

    Quote Originally Posted by Knurpht View Post
    What happens if you try changing the URL for one of your repos?
    I have set https://download.opensuse.org/reposi...USE_Leap_42.3/ and I could update rawtherapee successfully.

    Quote Originally Posted by tsu2 View Post
    I can't think of a reason why https support would be dropped.
    If you want to, inspect the ssl certificate for the expiration date, which would establish at least a likely minimum even if the certificate wasn't renewed/re-issued.

    TSU
    This test gives an interesting low (C) grade result. I wonder if someone should look at it. It also says the certificate expires in less than 6 months.

    So would it make sense to switch all repos to https?

  5. #5
    Join Date
    Sep 2013
    Location
    Norfolk, UK
    Posts
    1,260

    Default Re: Can we use HTTPS for repos?

    Quote Originally Posted by heyjoe View Post
    So would it make sense to switch all repos to https?
    Maybe I'm missing the obvious here... (But I may be having another senior moment).

    Even if the repositories are set to https, the actual download will come from a local mirror server, which may or may not be https.

    Using the rawtherapee repo in your example, here in the UK the download is from:
    http://anorien.csc.warwick.ac.uk/mir...opensuse.org/*

    Looking randomly at a few of the actual mirror servers listed here: https://mirrors.opensuse.org/ they were also all http.
    Regards, Paul

    2x Tumbleweed (Snapshot: 20191012) KDE Plasma 5
    2x Leap 15.1 KDE Plasma 5

  6. #6

    Default Re: Can we use HTTPS for repos?

    Quote Originally Posted by tannington View Post
    Using the rawtherapee repo in your example, here in the UK the download is from:
    http://anorien.csc.warwick.ac.uk/mir...opensuse.org/*
    How did you check this? I am not getting any redirect.

  7. #7
    Join Date
    Sep 2013
    Location
    Norfolk, UK
    Posts
    1,260

    Default Re: Can we use HTTPS for repos?

    Quote Originally Posted by heyjoe View Post
    How did you check this? I am not getting any redirect.
    Extract from "/var/log/zypper.log"

    Code:
    URL: https://download.opensuse.org/repositories/home:/rawtherapee/openSUSE_Leap_42.3/x86_64/rawtherapee-5.3-2.1.x86_64.rpm
    2017-10-27 16:21:28 <1> Orion-15.openSUSE(1554) [zypp++] MediaMultiCurl.cc(doGetFileCopy):1361 HTTP response: 200
    2017-10-27 16:21:28 <1> Orion-15.openSUSE(1554) [zypp] MediaCurl.cc(MediaCurl):558 MediaCurl::MediaCurl(http://anorien.csc.warwick.ac.uk/mirrors/download.opensuse.org/repositories/home:/rawtherapee/openSUSE_Leap_42.3/x86_64/rawtherapee-5.3-2.1.x86_64.rpm, )
    I don't claim to understand fully what zypper is doing, but I'm quite sure that download came from http://anorien.csc.warwick.ac.uk/* even though the repo URL was https://download.opensuse.org/*
    Regards, Paul

    2x Tumbleweed (Snapshot: 20191012) KDE Plasma 5
    2x Leap 15.1 KDE Plasma 5

  8. #8

    Default Re: Can we use HTTPS for repos?

    Ok, I tried with wget:

    Code:
    [/tmp/download]: wget https://download.opensuse.org/repositories/home:/rawtherapee/openSUSE_Leap_42.3/x86_64/rawtherapee-5.3-2.1.x86_64.rpm
    --2017-10-27 19:55:04--  https://download.opensuse.org/repositories/home:/rawtherapee/openSUSE_Leap_42.3/x86_64/rawtherapee-5.3-2.1.x86_64.rpm
    Resolving download.opensuse.org (download.opensuse.org)... 195.135.221.134, 2001:67c:2178:8::13
    Connecting to download.opensuse.org (download.opensuse.org)|195.135.221.134|:443... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: http://ftp.icm.edu.pl/pub/Linux/opensuse/repositories/home:/rawtherapee/openSUSE_Leap_42.3/x86_64/rawtherapee-5.3-2.1.x86_64.rpm [following]
    --2017-10-27 19:55:05--  http://ftp.icm.edu.pl/pub/Linux/opensuse/repositories/home:/rawtherapee/openSUSE_Leap_42.3/x86_64/rawtherapee-5.3-2.1.x86_64.rpm
    Resolving ftp.icm.edu.pl (ftp.icm.edu.pl)... 193.219.28.2, 2001:6a0:0:31::2
    Connecting to ftp.icm.edu.pl (ftp.icm.edu.pl)|193.219.28.2|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 13517299 (13M) [application/x-rpm]
    Saving to: ‘rawtherapee-5.3-2.1.x86_64.rpm’
    
    
    100%[==================================================================================================================>] 13,517,299  1.41MB/s   in 9.9s   
    
    
    2017-10-27 19:55:15 (1.31 MB/s) - ‘rawtherapee-5.3-2.1.x86_64.rpm’ saved [13517299/13517299]
    
    
    [/tmp/download]: wget https://ftp.icm.edu.pl/pub/Linux/opensuse/repositories/home:/rawtherapee/openSUSE_Leap_42.3/x86_64/rawtherapee-5.3-2.1.x86_64.rpm
    --2017-10-27 19:55:46--  https://ftp.icm.edu.pl/pub/Linux/opensuse/repositories/home:/rawtherapee/openSUSE_Leap_42.3/x86_64/rawtherapee-5.3-2.1.x86_64.rpm
    Resolving ftp.icm.edu.pl (ftp.icm.edu.pl)... 193.219.28.2, 2001:6a0:0:31::2
    Connecting to ftp.icm.edu.pl (ftp.icm.edu.pl)|193.219.28.2|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 13517299 (13M) [application/x-rpm]
    Saving to: ‘rawtherapee-5.3-2.1.x86_64.rpm.1’
    
    
    100%[==================================================================================================================>] 13,517,299  4.72MB/s   in 2.7s   
    
    
    2017-10-27 19:55:49 (4.72 MB/s) - ‘rawtherapee-5.3-2.1.x86_64.rpm.1’ saved [13517299/13517299]
    So I guess the question is - if https is available, why is it not used and enforced (HSTS)?

  9. #9
    Join Date
    Sep 2012
    Posts
    5,126

    Default Re: Can we use HTTPS for repos?

    Quote Originally Posted by heyjoe View Post
    So I guess the question is - if https is available, why is it not used and enforced (HSTS)?
    What exact advantage will it bring in this case?

  10. #10

    Default Re: Can we use HTTPS for repos?

    https://progress.opensuse.org/news/40



    Why download.opensuse.org does not officially support SSL

    While enabling SSL for the service running download.opensuse.org is not really a problem (and is done already), there are some issues behind that we want to get fixed first before making and official announcement...
    Added by lrupp 3 days ago

    The main issue here is the way how MirrorBrain is used: instead of delivering a file directly, download.opensuse.org will redirect the requests of our customers to a mirror server which hosts the file and is nearer to their location. While this has normally benefits for both sides, it becomes problematic if MirrorBrain should redirect users who like to get their files delivered via an encrypted (https) channels.
    At first: our mirrors need to support SSL for this. While some mirrors have SSL enabled since a long time, others don't - and want to avoid this also in the future to avoid an overload of their systems.
    Second: MirrorBrain does not only need to know if a mirror server supports SSL before it can redirect a user requesting a file via SSL to this mirror - to avoid confusing error messages, we also need to make sure that the SSL setup on the mirrors is correct, and at least (just to give an example) provide a correct SSL certificate.
    Third: MirrorBrain itself was never developed to differentiate between encrypted and not encrypted requests. As such, this "new" feature needs to be implemented properly. Volunteers needed...
    Do you know that download.opensuse.org is use by nearly all openSUSE systems to get their updates and for downloading new software? The Apache (worker) process running on this machine serves (under normal conditions) 300 up to 500 requests per second for only this reason. In addition to that, a dedicated Nginx service on the same host is used to quickly free up resources from the Apache and deliver files (like RPMs and ISOs) as fast as possible, without blocking Apache from handling more requests. This setup avoids database locks, as each request for a file on the Apache side results in a database request to MirrorBrain, to get the best mirror for the file. As Apache can not free up the DB connection, until the request is handled, the "hand over" (aka redirect) to the Nginx service allows to get the Apache freed up quickly, ready to handle more requests.
    But the Nginx on the machine is just used as "last ressort": under normal circumstances, openSUSE benefits from over 180 mirrors world wide who offer files for our users. And the redirection is based on the GeoIP location of the requester and the closest mirrors to that destination. If you ever want to know how many mirrors host a specific file, just click on the "details" link on download.opensuse.org (have a look at the details for the Leap 42.3 ISO as example). We provide even a Google Map for you (see: "Map showing the closest mirrors") to show you the location of your client and the mirror servers around you.
    While people are more and more asking to get an encrypted line to download their packages, we - as openSUSE admins - are asking ourselves often enough: "why"?

    • During the installation of a client machine, it get's the public signing keys for official packages installed (one of the reasons why you really should "Verify Your Download Before Use")
    • Each and every package in the official repositories is signed with such a key. As addition, each RPM also includes checksums for every file it contains.

    So what happens if a mirror provides you with some malicious packages?

    • first of all: our MirrorBrain scanner might detect a size mismatch and exclude the file from any redirect
    • during installation, you will get warned that either the signing key does not match and/or the (internal) checksums of the package are wrong
    • if you add a new repository from the Open Build Service, you should also verify the provided key

    Does that change, if you download the same file via SSL? - No.
    Does an encrypted download help you to mask what you are doing? - Only partly. An attacker or undercover agent might not exactly know what you download - but keep in mind that your DNS queries are known as well as the IP addresses of the machines you connect to, this mitigates the fog you want to produce.
    Would TOR help ? - Probably yes, in regard of the anonymity that TOR provides, only you and your entry server know what you are looking for. Interestingly, the traffic inside the TOR network is already encrypted. So you don't win much with an encrypted endpoint download.opensuse.org.
    So while we are looking for developers who like to extend MirrorBrain with the needed features for a proper SSL redirection - and on our mirror servers to prepare their infrastructure for SSL traffic - stay tuned and keep in mind that the verification of keys and installation medias will not change, even if we can officially provide you with completely SSL encrypted traffic in the near future.

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •