summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Kalnischkies <kalnischkies@gmail.com>2010-01-04 13:54:57 +0100
committerDavid Kalnischkies <kalnischkies@gmail.com>2010-01-04 13:54:57 +0100
commit930f51811cd36a695c07f0b8414b118ce28dda04 (patch)
treed6bfa18fd7a7a3b3751cb8fef02d989c51286fb2
parentc24f6ce22cd6720004addad2e3382b3caa6b1b7c (diff)
finally merge the rest of the patchset from Arnaud Ebalard
with the CRL and Issuers options for https, thanks! (Closes: #485963)
-rw-r--r--debian/changelog3
-rw-r--r--doc/examples/apt-https-method-example.conf21
-rw-r--r--methods/https.cc14
3 files changed, 38 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index fca8d3ccb..cdf477cfd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -45,6 +45,9 @@ apt (0.7.26) UNRELEASED; urgency=low
* methods/gpgv.cc:
- pass all keyrings (TrustedParts) to gpgv instead of
using only one trusted.gpg keyring (Closes: #304846)
+ * methods/https.cc:
+ - finally merge the rest of the patchset from Arnaud Ebalard
+ with the CRL and Issuers options, thanks! (Closes: #485963)
-- Michael Vogt <mvo@debian.org> Thu, 10 Dec 2009 22:02:38 +0100
diff --git a/doc/examples/apt-https-method-example.conf b/doc/examples/apt-https-method-example.conf
index 0067171bd..cc7889044 100644
--- a/doc/examples/apt-https-method-example.conf
+++ b/doc/examples/apt-https-method-example.conf
@@ -36,6 +36,8 @@
to access its content.
- The certificate presented by both server have (as expected) a CN that
matches their respective DNS names.
+ - We have CRL available for both dom1.tld and dom2.tld PKI, and intend
+ to use them.
- It somtimes happens that we had other more generic https available
repository to our list. We want the checks to be performed against
a common list of anchors (like the one provided by ca-certificates
@@ -56,10 +58,13 @@ Acquire::https::CaInfo "/etc/ssl/certs/ca-certificates.pem";
// Use a specific anchor and associated CRL. Enforce issuer of
// server certificate using its cert.
Acquire::https::secure.dom1.tld::CaInfo "/etc/apt/certs/ca-dom1-crt.pem";
+Acquire::https::secure.dom1.tld::CrlFile "/etc/apt/certs/ca-dom1-crl.pem";
+Acquire::https::secure.dom1.tld::IssuerCert "/etc/apt/certs/secure.dom1-issuer-crt.pem";
// Like previous for anchor and CRL, but also provide our
// certificate and keys for client authentication.
Acquire::https::secure.dom2.tld::CaInfo "/etc/apt/certs/ca-dom2-crt.pem";
+Acquire::https::secure.dom2.tld::CrlFile "/etc/apt/certs/ca-dom2-crl.pem";
Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem";
Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem";
@@ -97,6 +102,22 @@ Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem";
used for the https entries in the sources.list file that use that
repository (with the same name).
+ Acquire::https[::repo.domain.tld]::CrlFile "/path/to/all/crl.pem";
+
+ Like previous knob but for passing the list of CRL files (in PEM
+ format) to be used to verify revocation status. Again, if the
+ option is defined with no specific mirror (probably makes little
+ sense), this CRL information is used for all defined https entries
+ in sources.list file. In a mirror specific context, it only applies
+ to that mirror.
+
+ Acquire::https[::repo.domain.tld]::IssuerCert "/path/to/issuer/cert.pem";
+
+ Allows to constrain the issuer of the server certificate (for all
+ https mirrors or a specific one) to a specific issuer. If the
+ server certificate has not been issued by this certificate,
+ connection fails.
+
Acquire::https[::repo.domain.tld]::Verify-Peer "true";
When authenticating the server, if the certificate verification fails
diff --git a/methods/https.cc b/methods/https.cc
index 5d8e63f47..35c23db20 100644
--- a/methods/https.cc
+++ b/methods/https.cc
@@ -151,6 +151,13 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
default_verify = 0;
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, verify);
+ // Also enforce issuer of server certificate using its cert
+ string issuercert = _config->Find("Acquire::https::IssuerCert","");
+ knob = "Acquire::https::"+remotehost+"::IssuerCert";
+ issuercert = _config->Find(knob.c_str(),issuercert.c_str());
+ if(issuercert != "")
+ curl_easy_setopt(curl, CURLOPT_ISSUERCERT,issuercert.c_str());
+
// For client authentication, certificate file ...
string pem = _config->Find("Acquire::https::SslCert","");
knob = "Acquire::https::"+remotehost+"::SslCert";
@@ -177,6 +184,13 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
final_version = CURL_SSLVERSION_SSLv3;
curl_easy_setopt(curl, CURLOPT_SSLVERSION, final_version);
+ // CRL file
+ string crlfile = _config->Find("Acquire::https::CrlFile","");
+ knob = "Acquire::https::"+remotehost+"::CrlFile";
+ crlfile = _config->Find(knob.c_str(),crlfile.c_str());
+ if(crlfile != "")
+ curl_easy_setopt(curl, CURLOPT_CRLFILE, crlfile.c_str());
+
// cache-control
if(_config->FindB("Acquire::https::No-Cache",
_config->FindB("Acquire::http::No-Cache",false)) == false)