[Bug 1551464] Re: apt-get sources should support TLS SNI (server name)

Wed Nov 16 13:21:39 UTC 2016

That would be horrible… If you contact a server foo.example.org it
should respond with the cert for it, not with a cert for
bar.example.com. That is what SNI is all about after all (as your client
connects to an IP and SNI is telling the server which hostname it wanted
to connect to, so the server can respond with the right cert).

I somehow doubt a highlevel interface like libcurl even exposes such a
detail. The bugreport you reference is speculating about all sorts of
things, so one of them might be it. I would personally consider a bug in
libcurl-gnutls most likely (note that this is not always the library
behind curl. It seems to be in newer releases, older releases use
libcurl (the openssl variant)).

As an additional datapoint: On Debian stretch the command "/usr/lib/apt
/apt-helper download-file
'https://deb.nodesource.com/gpgkey/nodesource.gpg.key' 'nodesource.gpg'"
works just fine, so in newer versions that seems resolved.

Anyway, this report is a mixture between a feature request we will not
be implement and a bug we don't have – as such marked as invalid in apt
as you are better of finding the real culprit and report a new bug
against that.

P.S.: apt doesn't need https for integrity. Given the sorry state of CAs
(compare e.g. StartSSL/WoSign) that wouldn't really be secure… There are
other reasons you might want https even in case of apt, but blank
statements aren't making anyone more secure – they just make them feel
secure.

** Changed in: apt (Ubuntu)
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1551464

Title:
  apt-get sources should support TLS SNI (server name)

Status in apt package in Ubuntu:
  Invalid

Bug description:
  There needs to be an option in apt source.list entries to specify the
  server name to be used by TLS for the Server Name Indication (SNI).

  The openSSL equivalent is '-servername'.

  Currently, when accessing sources over https when multiple names are
  used on the same IP address, there is no way to specify which server
  name should be used and so the default name is always used.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: apt 1.0.1ubuntu2.11
  ProcVersionSignature: Ubuntu 4.2.0-30.35~14.04.1-generic 4.2.8-ckt3
  Uname: Linux 4.2.0-30-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.19
  Architecture: amd64
  Date: Mon Feb 29 17:25:22 2016
  InstallationDate: Installed on 2016-02-26 (3 days ago)
  InstallationMedia: Xubuntu 14.04.4 LTS "Trusty Tahr" - Release amd64 (20160217.1)
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: apt
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1551464/+subscriptions