From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 3E2F266FA2 for ; Wed, 29 Jul 2020 11:37:56 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 237BFC23B for ; Wed, 29 Jul 2020 11:37:56 +0200 (CEST) Received: from outgoing.selfhost.de (outgoing.selfhost.de [82.98.87.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 6AB6CC22C for ; Wed, 29 Jul 2020 11:37:54 +0200 (CEST) Received: (qmail 1103 invoked from network); 29 Jul 2020 09:31:14 -0000 Received: from unknown (HELO 009-mail-out.licomonch.net) (postmaster@mqhpoxmb.mail.selfhost.de@79.197.147.142) by mailout.selfhost.de with ESMTPA; 29 Jul 2020 09:31:14 -0000 Received: from 018-zarafa.licomonch.net (018-zarafa.licomonch.net [192.168.111.18]) by 009-mail-out.licomonch.net (Postfix) with ESMTP id AF1F87EB6 for ; Wed, 29 Jul 2020 11:31:13 +0200 (CEST) Received: from 021-vnc-desktop.licomonch.net (021-vnc-desktop.licomonch.net [192.168.111.21]) by 018-zarafa.licomonch.net (Postfix) with ESMTPSA id 9E68129972 for ; Wed, 29 Jul 2020 11:31:13 +0200 (CEST) To: pve-user@lists.proxmox.com References: <0701d274-de00-84e2-e8e4-e62f0ac5ee3a@coppint.com> <2026549297.36.1512041535093@webmail.proxmox.com> <1bc4ea0a-2978-4214-d75a-e2c0f1ad0104@coppint.com> From: proxmox-pve-user-list@licomonch.net Message-ID: Date: Wed, 29 Jul 2020 11:31:13 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <1bc4ea0a-2978-4214-d75a-e2c0f1ad0104@coppint.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 KAM_ASCII_DIVIDERS 0.8 Spam that uses ascii formatting tricks KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods NICE_REPLY_A -0.951 Looks like a legit reply (A) RCVD_IN_DNSWL_LOW -0.7 Sender listed at https://www.dnswl.org/, low trust RCVD_IN_MSPIKE_H3 -0.01 Good reputation (+3) RCVD_IN_MSPIKE_WL -0.01 Mailspike good senders SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com] Subject: Re: [PVE-User] HTTPS for download.proxmox.com X-BeenThere: pve-user@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE user list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2020 09:37:56 -0000 Hi Florent, > download.proxmox.com packages are signed with key which public part can > be downloaded on... download.proxmox.com, without https ! Well done. That's what public keys are made for .. make them public .. https doesn't change that .. it's used to transport secrets .. secret like the S in HTTPS If you want to use https for validation, you're on the wrong trip. You'd have to personally check the pub key person (you) to person (proxmox key admin) to be 100% sure about the correctness of the key .. If the key is not correct and you aren't already hacked by some evil minions you'll get a failure at package validation request .. or even earlier on 'apt update' The only real gain of package/pub-key distribution via https is a felt security gain. The real security gain is minimal and more theoretical. (If someone can compromise you with changed packages _and_ a wrong repo-key then you have greater problems then that ;) ) Greeting, Andreas F. > > On 30/11/2017 12:32, Dietmar Maurer wrote: >> This is why we have an enterprise repository! Please use the enterprise >> repository >> if you want SSL. >> >>> On November 30, 2017 at 12:22 PM Florent B wrote: >>> >>> >>> Up ! >>> >>> >>> On 30/05/2017 15:21, Florent B wrote: >>>> Hi PVE team, >>>> >>>> Would it be possible to include "download.proxmox.com" in SSL >>>> certificate for accessing downloads with HTTPS. >>>> >>>> Current certificate is only valid for proxmox.com & enterprise.proxmox.com. >>>> >>>> Thank you. >>>> >>>> Florent >>>> >>>> _______________________________________________ >>>> pve-user mailing list >>>> pve-user@pve.proxmox.com >>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user >>> _______________________________________________ >>> pve-user mailing list >>> pve-user@pve.proxmox.com >>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user > > > _______________________________________________ > pve-user mailing list > pve-user@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user >