Installation repository has incorrect SSL certificate

kaltura / platform-install-packages

Official deployment packages to install the Kaltura platform on a server or cluster environments using native OS package managers

GNU Affero General Public License v3.0

520 stars 242 forks source link

Installation repository has incorrect SSL certificate #593

Closed onitake closed 7 years ago

onitake commented 7 years ago

installrepo.kaltura.org is not properly usable via HTTPS, because it uses a certificate from Cloudfront.

Please configure a suitable SSL certificate (one that matches the domain name), so the repository can be accessed over HTTPS.

Thank you!

jessp01 commented 7 years ago

Hello @onitake,

Indeed, at the moment, our CDN setup for installrepo.kaltura.org does not include SSL. This is mostly because there's not much added value to using SSL for fetching packages. However, if you still wish to use SSL you can change the repo file to use the origin server, where SSL is properly configured. Simply edit kaltura.repo or kaltura.list [you didn't specify whether this is RPM or Deb] and change http://installrepo.kaltura.org to https://installrepo.origin.kaltura.org.

Thanks,

onitake commented 7 years ago

I agree that HTTPS does not make too much sense for the package files.

On the other hand, it's very useful for delivering the GPG key. Without proper channel security, an attacker may modify it on the fly and all signature checks will be useless.

I will try to modify our deployment setup so it fetches the key from the origin server and packages from the CDN. Thanks for the help!

jessp01 commented 7 years ago

Hi @onitake,

Most welcome:) You can certainly use the origin to fetch the GPG key and then move on to retrieve the actual packages from the CDN and that would make sense. Indeed with a lot of keys still using SHA1 and the recent publications about collision attacks, it does not hurt to be careful:)

jessp01 commented 7 years ago

Hi @onitake,

Just FYI, our CF endpoint now has a valid cert so that:

[Kaltura]
name = Kaltura Server
baseurl = https://installrepo.kaltura.org/releases/latest/RPMS/$basearch/
gpgkey = https://installrepo.kaltura.org/releases/RPM-GPG-KEY-kaltura
gpgcheck = 1
enabled = 1

[Kaltura-noarch]
name = Kaltura Server arch independent
baseurl = https://installrepo.kaltura.org/releases/latest/RPMS/noarch
gpgkey = https://installrepo.kaltura.org/releases/RPM-GPG-KEY-kaltura
gpgcheck = 1
enabled = 1

Will also work.

onitake commented 7 years ago

That's great! Thank you, Jess.