No way to download pfsense
-
Again, I use eff.org https-everywhere for YEARS. Also I use only Firefox for YEARS. Never had any issues with downloading pfsense.
AGAIN: Question: WHAT has changed, why is it not possible to download pfsense with this setup?
Please, stick to that question and don't try to tell me it's Firefox or me who is the problem…
-
But as usual in this forum, everything is fine with pfsense, always the user is just a bloddy id*ot… Got it!
Noop.
Proof it to yourself : visit any https site like: www.paypal.com
You saw the green bar ? Your browser is working, certificats are ok, pfSense is working.
Btw: 'certificats' are just files, being put in TCP streams. pfSense as a NAT/Firewall does know nothing about 'certificats'.This is a "browser can't match certificate" issue. Maybe it cached a certificate, can't contact the certificate issuer (temporalily DNS issue).
Anyway, pfSense image files are stored on "public download servers", they probably even don't use pfSense :)
Another proof/test : try downloading, bypassing the pfSense on your LAN (using the same ISP).
It works ? doesn't work ?edit: when browsing to https://files.nyi.pfsense.org:443 I receive the same error with my FF browser - Doktornotor's https://bugzilla.mozilla.org/show_bug.cgi?id=495339 becomes very clear !
-
May I cite from the the 2009 bug (after dusting of a little):
"This bug is invalid.
It complains that a cert with the wildcard pattern *.glodns.net
does not match the DNS name swiftspirit.co.za.plesk01.glodns.net
but that failure to match is REQUIRED by the relevant Internet standards.
It was the old behavior, where it DID match, that was a bug. "So, what has changed since May 2015, as I did my last download without any problems on different systems (Win, Linux) with Firefox and https-everywhere plugin?
PLEASE, no FUD, stick to that question! Why is it not possible to download pfsense via a https connection?
-
Why is it not possible to download pfsense via a https connection?
Are you actually reading, dude? Already told you twice. Are you going to pay for those 6 other wildcard certs yourself? There's no problem with downloading anything from mirrors. The only problem here is your idiotic browser addon making totally invalida assumptions that if there's something listening on port 443, it sure is intended and configured to serve the same content.
-
Do you actually read, Sir? I told you that there was no problem with this setup until May 2015, so what has changed since May 2015?
Simple question.
-
There was no problem before May 2015, there is no problem now, pretty sure there will be no problem in future either. That is, for people, who actually use the provided download links as opposed to improving those links with idiotic addons.
IOW - fix your browser or configure it to trust those "invalid" certificates if you insist on downloading via HTTPS. (At least one of those mirrors actully does NOT have HTTPS enabled anyway.) There's no problem here, except PEBKAC.
-
Adapt your medication, less or more. The current dose is inadequate.- not cool -
Thanks for your advise. Go buy more tinfoil.
I just don't get the people writing similar addons. We have multiple places where there's a normal website running on port 80. On port 443, there's a reservation system running for resellers. Same IP, same FQDN. We have other places which have a webmail on port 443. Again, same IP, same hostname. Both these examples run a completely different webserver on HTTPS port, and serve completely different content there. Beyond the above - there are zillions of websites on shared webhosting which - while serving the same content - have completely invalid certificates which belong to the webhosting company and is issued for their FQDN. Simply because HTTPS is a service that's charged as an extra, requiring further configuration, extra certificates and - at least until recently - also a separate IP address, due to lacking SNI implementation.
How on earth can anyone write addons that expect that simply rewriting http:// to https:// in browser is going to produce a working and meaningful result?
-
Again, it worked fine until May 2015 with exactly the same browser/plugin combination.
Total off topic, but: Did you ever consider that you might harm a honourable software project by the wording of your posts here? I mean, your expertise on networking is not under debate, however, your inter-personal skills … eeeh... might need some training? If I were looking for a decent firewall and read the forum here... Wasn't that bad when I came here first 2 years ago or so...
Just my personal opinion.
-
Adapt your medication, less or more. The current dose is inadequate.
The netiquette was leaving this thread likes me now too, what the hell is going on to bug us
a whole days because you will not check that your browser is the guilty and not we users here in the forum. >:(PLEASE, no FUD, stick to that question! Why is it not possible to download pfsense via a https connection?
Ask the pfSense team and please don´t troll us for that, I was answering that I am also having problems downloading an ISO file via Opera and FF, but not with IE 11 & IE12, so what is now your real problem?
-
And it works now. Except for you and other users of broken addons. Reminds me of the people who spam webmasters with emails about "broken" websites resulting from their usage of Noscript, or - oh, lookie, another piece of fine idiocy produced by EFF - LibreJS.
P.S. I am not a pfSense developer. As such, I'd reserve my right to express my feelings about idiots among programmers as I wish. Not sure about how's pfSense harmed by that, but pretty sure that EFF is harmed by releasing similar software brainfarts.
-
Even HTTPS Everywhere shouldn't cause the issue OP describes. I keep the pfsense.org rules there up to date via pull requests on Github as needed. There are no rules to force HTTPS on any of our sub-domains. We never link to HTTPS on sub-domains. Never have.
If you want to download via HTTPS, do so via https://files.pfsense.org and not any of the sub-domain mirrors (some of which aren't HTTPS-enabled at all, some of which will give a cert error if you go to them by sub-domain since wildcard rightly doesn't match). Or just download from whichever one you want via HTTP, and use the HTTPS links we give you on the download page for the sha256 hash.
Nothing's changed in that regard for years, much less since May. Something on your system is broken if you're getting sent to HTTPS on our sub-domains.
-
So I just hit this url
https://files.pfsense.org/mirror/downloads/pfSense-LiveCD-2.2.4-RELEASE-amd64.iso.gzAnd not having any issues
-
Https MITM on the client side maybe? Some infected router in the tracert path?
-
Https MITM on the client side maybe? Some infected router in the tracert path?
Doesn't appear to be, the things he pasted show he's getting the *.pfsense.org cert, it just doesn't match because of the hostnames being *.something.pfsense.org (which is why we never link HTTPS to those).
-
So I just hit this url
https://files.pfsense.org/mirror/downloads/pfSense-LiveCD-2.2.4-RELEASE-amd64.iso.gzWorks for me on Windows 7 Ultimate 64Bit together with latest FF and latest Opera browsers.
-
Also works here, Ubuntu + latest FF.
