3 files changed, 14 insertions, 0 deletions

diff --git a/doc/apt.conf.5.xml b/doc/apt.conf.5.xml
index 260c66c46..54ed78c95 100644
--- a/doc/apt.conf.5.xml
+++ b/doc/apt.conf.5.xml
@@ -357,6 +357,15 @@ APT::Compressor::rev {
 	 </para></listitem>
      </varlistentry>
 
+     <varlistentry><term><option>AllowTLS</option></term>
+     <listitem><para>
+     Allow use of the internal TLS support in the http method. If set to false,
+     this completely disables support for TLS in apt's own methods (excluding
+     the curl-based https method). No TLS-related functions will be called
+     anymore.
+     </para></listitem>
+     </varlistentry>
+
      <varlistentry><term><option>PDiffs</option></term>
 	 <listitem><para>Try to download deltas called <literal>PDiffs</literal> for
 	 indexes (like <filename>Packages</filename> files) instead of
diff --git a/doc/examples/configure-index b/doc/examples/configure-index
index aada67bf5..a48d4cb99 100644
--- a/doc/examples/configure-index
+++ b/doc/examples/configure-index
@@ -206,6 +206,8 @@ Acquire
   Source-Symlinks "<BOOL>";
   ForceHash "<STRING>"; // hashmethod used for expected hash: sha256, sha1 or md5sum
 
+  AllowTLS "<BOOL>";    // whether support for tls is enabled
+
   PDiffs "<BOOL>"; // try to get the IndexFile diffs
   PDiffs::FileLimit "<INT>"; // don't use diffs if we would need more than 4 diffs
   PDiffs::SizeLimit "<INT>"; // don't use diffs if size of all patches excess X% of the size of the original file
diff --git a/methods/connect.cc b/methods/connect.cc
index e48008214..0103b5873 100644
--- a/methods/connect.cc
+++ b/methods/connect.cc
@@ -640,6 +640,9 @@ struct TlsFd : public MethodFd
 bool UnwrapTLS(std::string Host, std::unique_ptr<MethodFd> &Fd,
 	       unsigned long Timeout, aptMethod *Owner)
 {
+   if (_config->FindB("Acquire::AllowTLS", true) == false)
+      return _error->Error("TLS support has been disabled: Acquire::AllowTLS is false.");
+
    int err;
    TlsFd *tlsFd = new TlsFd();