Bug 785927

Summary: Incorrect HTTPS SSL Certificate for download.fedora.redhat.com
Product: [Other] Security Response Reporter: gdestuynder
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: unspecified   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-31 08:46:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description gdestuynder 2012-01-30 22:07:31 UTC 
Hopefully this is the proper bug-product, as none would exactly match.

https://download.fedora.redhat.com SSL certificate common name is *.fedoraproject.org, which is of course invalid.

This is therefore a security issue, as one would have to trust the wildcard that points to fedoraproject, where all sites are probably not managed by RedHat.
(That's also why all browsers will produce an error/warning when hitting that URL)

Thanks!
Comment 1 Tomas Hoger 2012-01-31 08:46:07 UTC 
-> https://fedorahosted.org/fedora-infrastructure/ticket/3118
Comment 2 Tomas Hoger 2012-02-20 18:30:51 UTC 
(In reply to comment #1)
> -> https://fedorahosted.org/fedora-infrastructure/ticket/3118

Ticket got resolved by removing obsolete download.fedora.redhat.com alias:
https://fedorahosted.org/fedora-infrastructure/ticket/3118#comment:3
http://scrye.com/wordpress-mu/nirik/2012/02/20/please-update-your-links-download-fedora-redhat-com-dl-fedoraproject-org/