IMHO, TLS (SSL) gives you a false sense of security anyway. I do not mind downloading public packages through plain http since there isn't anything to keep secret. The package is public anyway.
The important part security wise is to check the package signature. With apache, it is usually easy to guess. The following link gives you the package signature:
https://www.us.apache.org/dist//axis/axis2/java/core/1.6.3/axis2-1.6.3-bin.zip.asc
then:
$ gpg axis2-1.6.3-bin.zip.asc
gpg: assuming signed data in `axis2-1.6.3-bin.zip'
gpg: Signature made Sat 27 Jun 2015 07:08:05 PM EDT using RSA key ID EE08B906
gpg: Good signature from "Andreas Veithen (CODE SIGNING KEY) <
veithen@apache.org>"
gpg: aka "Andreas Veithen <
andreas.veithen@gmail.com>"
gpg: aka "Andreas Veithen (CODE SIGNING KEY) <
andreas.veithen@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2D3C 43AC 36E5 BCFC 9696 F996 CE13 E82A EE08 B906
again verify the signer key:
google for:
it gives you:
https://people.apache.org/list_V.html
scrol down to Veithen:
Andreas VeithenHomepageGeographical Location
Projects:
Apache Axiom
Apache Axis2
Apache Synapse
PGP Keys:
ID: EE08B906 Fingerprint: 2D3C 43AC 36E5 BCFC 9696 F996 CE13 E82A EE08 B906
Weblogs
Andreas Veithen's blog
seems ligit. TLS (SSL) to transfer package gives you nothing if the the packages are public anyway.