[Bug 1551464] Re: apt-get sources should support TLS SNI (server name)

David Kalnischkies 1551464 at bugs.launchpad.net
Sat Nov 19 09:26:20 UTC 2016 

So, how is this option named in firefox and how do you set it? ………
exactly. You don't have it as an option as servername != hostname is
something you only need for experiments which is the main purpose of
s_client. Firefox doesn't need that option as it is using SNI (in
reality it uses a library which does, but details). apt doesn't need the
option as it is using libcurl-gnutls which is using SNI (see the apt-
helper command above as proof). That this isn't working in your case on
your system is a bug "somewhere", possibly libcurl-gnutls or the things
it uses like libgnutls, but not a reason to request a servername option
in apt which given that you want to set it with servername == hostname
would be a NOP anyhow…

P.S.: Fire up wireshark and realize that HTTPS itself fails your blank
"everything should be encrypted" statement. The irony is that SNI is
actually one of those unencrypted but highly informational pieces. The
rest is a bit of traffic analyze away as you have perfect knowledge of
the entirely static data sent over the encrypted wire, so from the
transfer size alone you can already make reasonable guesses about what
you do and with a bit more work you can be sure. Better than nothing of
course and one of the reasons I subsumed under "you might want" but its
still mostly a feeling of security/privacy you get here as apt just
isn't your typical dynamically created website with cookies and
passwords and stuff resulting in unique data streams where HTTPS makes a
lot more sense. IF you and repository owners were really into privacy,
you would be using TOR and repositories on onion services (for the
record, apt supports it via apt-transport-tor and some repositories are
available as onion service).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1551464

Title:
  apt-get sources should support TLS SNI (server name)

Status in apt package in Ubuntu:
  Invalid

Bug description:
  There needs to be an option in apt source.list entries to specify the
  server name to be used by TLS for the Server Name Indication (SNI).

  The openSSL equivalent is '-servername'.

  Currently, when accessing sources over https when multiple names are
  used on the same IP address, there is no way to specify which server
  name should be used and so the default name is always used.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: apt 1.0.1ubuntu2.11
  ProcVersionSignature: Ubuntu 4.2.0-30.35~14.04.1-generic 4.2.8-ckt3
  Uname: Linux 4.2.0-30-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.19
  Architecture: amd64
  Date: Mon Feb 29 17:25:22 2016
  InstallationDate: Installed on 2016-02-26 (3 days ago)
  InstallationMedia: Xubuntu 14.04.4 LTS "Trusty Tahr" - Release amd64 (20160217.1)
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: apt
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1551464/+subscriptions

More information about the foundations-bugs mailing list