tickets #89578
closedmirror manager - google-chrome can't download images from get-o-o
100%
Description
Hello team
seems like users are having issue with downloading images from get-o-o
while using google-chrome (works for me with recent chromium).
The existing discussion: https://github.com/openSUSE/get-o-o/issues/35
This seems to be the error while downloading images from google-chrome:
Mixed Content: The site at 'https://get.opensuse.org/' was loaded over
a secure connection, but the file at
'http://ftp.vectranet.pl/opensuse/distribution/leap/15.3/iso/openSUSE-Leap-15.3-NET-x86_64-Build91.1-Media.iso'
was redirected through an insecure connection. This file should be
served over HTTPS. This download has been blocked. See
https://blog.chromium.org/2020/02/protecting-users-from-insecure.html
for more details.
Hellcp mentioned:
For what it's worth, and I know it's not much, that would be very easy
to fix with mirrormanager2, since you can actually request only getting
https repos (using ?protocol=https in the url) with it...
Could you please have a look at the issue?
--
Best regards
Lubos Kocman
Release Manager openSUSE Leap
SUSE LINUX, s.r.o.
Krizikova 148/34 tel: +49 173 5876850
186 00 Praha 8 http://www.suse.com
Czech Republic
Updated by hellcp about 3 years ago
- Category set to Mirrors
- Private changed from Yes to No
Updated by pjessen about 3 years ago
- Status changed from New to In Progress
I'm going to make a quick guess - the link at get.o.o is using https.
Yup:
https://download.opensuse.org/distribution/leap/15.3/iso/openSUSE-Leap-15.3-NET-x86_64-Current.iso
As our mirroring system does not support https, the request is being downgraded to http.
I suggest you change the links at get.o.o to use http://download.opensuse.org/
Updated by hellcp about 3 years ago
We would have to serve get-o-o as http instead of https in that case, that won't fly. Otherwise chrome/ium will still block downloads
Updated by pjessen about 3 years ago
hellcp wrote:
We would have to serve get-o-o as http instead of https in that case, that won't fly. Otherwise chrome/ium will still block downloads
I was wondering about that, yeah. Is chrome/ium just being unnecessarily strict, or why isn't this a problem in Firefox?
Updated by pjessen about 3 years ago
hellcp wrote:
We would have to serve get-o-o as http instead of https in that case, that won't fly. Otherwise chrome/ium will still block downloads
FWIW, I have just tried an http download link from an https site (https://www.jessen.ch) - Chromium did not complain. Version 85.0.4183.121.
I really don't see any reason why a normal clickable http link from an https website should not work? mixing or downgrading happens "behind the scenes", but a direct link ought to be fine.
Updated by hellcp about 3 years ago
pjessen wrote:
FWIW, I have just tried an http download link from an https site (https://www.jessen.ch) - Chromium did not complain. Version 85.0.4183.121.
I really don't see any reason why a normal clickable http link from an https website should not work? mixing or downgrading happens "behind the scenes", but a direct link ought to be fine.
Chromium 85, yeah, you will only get a warning https://blog.chromium.org/2020/02/protecting-users-from-insecure.html
Testing with Chromium 88 shows that you cannot download from links with http at all if you are on an https website.
Updated by pjessen about 3 years ago
hellcp wrote:
pjessen wrote:
FWIW, I have just tried an http download link from an https site (https://www.jessen.ch) - Chromium did not complain. Version 85.0.4183.121.
I really don't see any reason why a normal clickable http link from an https website should not work? mixing or downgrading happens "behind the scenes", but a direct link ought to be fine.Chromium 85, yeah, you will only get a warning https://blog.chromium.org/2020/02/protecting-users-from-insecure.html
Testing with Chromium 88 shows that you cannot download from links with http at all if you are on an https website.
Unable to reproduce. I have just installed Chromium 88 on TW and tried the download via my own site (https://www.jessen.ch), no warnings, it just starts the download.
Updated by hellcp about 3 years ago
pjessen wrote:
Unable to reproduce. I have just installed Chromium 88 on TW and tried the download via my own site (https://www.jessen.ch), no warnings, it just starts the download.
Mixed Content: The site at 'https://www.jessen.ch/' was loaded over a secure connection, but the file at 'http://ftp.vectranet.pl/opensuse/distribution/leap/15.3/iso/openSUSE-Leap-15.3-NET-x86_64-Build91.1-Media.iso' was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked. See https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more details.
I guess it depends on which mirror you end up getting and if it can be upgraded to secure connection? I don't really see how else it could work for you
Updated by pjessen about 3 years ago
hellcp wrote:
pjessen wrote:
Unable to reproduce. I have just installed Chromium 88 on TW and tried the download via my own site (https://www.jessen.ch), no warnings, it just starts the download.
Mixed Content: The site at 'https://www.jessen.ch/' was loaded over a secure connection, but the file at 'http://ftp.vectranet.pl/opensuse/distribution/leap/15.3/iso/openSUSE-Leap-15.3-NET-x86_64-Build91.1-Media.iso' was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked. See https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more details.I guess it depends on which mirror you end up getting and if it can be upgraded to secure connection? I don't really see how else it could work for you
Hmm, that is weird - we don't redirect to any https sites - I'll have to check the mirror database if we have any. I have also just tried with Chrome 89, no warnings, no blocks.
Updated by pjessen about 3 years ago
I ran another test - there is a 2nd link on https://www.jessen.ch now, an http link to a zip file. No redirections, nothing. With Chromium 85, no problem. Chrome 89 complains about the backlevel TLS support on my server, but that is all.
Updated by hellcp about 3 years ago
pjessen wrote:
I ran another test - there is a 2nd link on https://www.jessen.ch now, an http link to a zip file. No redirections, nothing. With Chromium 85, no problem. Chrome 89 complains about the backlevel TLS support on my server, but that is all.
Mixed Content: The site at 'https://www.jessen.ch/' was loaded over a secure connection, but the file at 'http://www.jessen.ch/delia-and-jazz.zip' was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked. See https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more details.
Updated by pjessen about 3 years ago
Very weird.
When I attempt a download of http://download.opensuse.org/distribution/leap/15.3/iso/openSUSE-Leap-15.3-NET-x86_64-Build91.1-Media.iso, I get two possible mirrors in Switzerland -
http://pkg.adfinis.com/opensuse/distribution/leap/15.3/iso/openSUSE-Leap-15.3-NET-x86_64-Build91.1-Media.iso
http://opensusemirror.lihaso.com/distribution/leap/15.3/iso/openSUSE-Leap-15.3-NET-x86_64-Build91.1-Media.iso
Is this a matter of some setting in Chrome/ium ?
Updated by pjessen about 3 years ago
I have put up a very simple page - the server is more current, has TLSv1.2 etc.
https://files.jessen.ch/chrometest
What is funny - my wife confirms the mixed content warning, on Chrome 88 on both Mac and Windows. No download happens, and you have to go look for the warning.
On my Chrome 89 on TW, the download starts, but I see the following in the console when I go look for it:
Mixed Content: The site at 'https://files.jessen.ch/' was loaded over a secure connection, but the file at 'http://pkg.adfinis.com/opensuse/distribution/leap/15.3/iso/openSUSE-Leap-15.3-NET-x86_64-Build91.1-Media.iso' was redirected through an insecure connection. This file should be served over HTTPS. This download will be blocked in future versions of Chrome.
Well, something's screwed up, somewhere. For now I see only one solution, revert get.o.o to use http. (dunno who might be in charge of that)
Updated by pjessen about 3 years ago
- Category deleted (
Mirrors) - Status changed from In Progress to Workable
Updated by cboltz about 3 years ago
I just changed the haproxy config - the http -> https redirect is now disabled for get.o.o, so it can also be served over http.
However, Strict-Transport-Security max-age=15768000 means that your browser will remember to use https for get.o.o for about 6 months.
Updated by pjessen almost 2 years ago
- Category changed from Software portal to Mirrors
- Status changed from Workable to New
- Assignee set to andriinikitin
I sense a mirrorcache issue, I'm re-assigning to Andrii.
Updated by andriinikitin almost 2 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
This was fixed by switching https traffic to MirrorCache in Summer of 2021 and the warning removed in https://github.com/openSUSE/get-o-o/pull/57
So closing it, please reopen if any issues.