summaryrefslogtreecommitdiff
path: root/methods/https.cc
diff options
context:
space:
mode:
Diffstat (limited to 'methods/https.cc')
-rw-r--r--methods/https.cc14
1 files changed, 14 insertions, 0 deletions
diff --git a/methods/https.cc b/methods/https.cc
index 5d8e63f47..35c23db20 100644
--- a/methods/https.cc
+++ b/methods/https.cc
@@ -151,6 +151,13 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
default_verify = 0;
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, verify);
+ // Also enforce issuer of server certificate using its cert
+ string issuercert = _config->Find("Acquire::https::IssuerCert","");
+ knob = "Acquire::https::"+remotehost+"::IssuerCert";
+ issuercert = _config->Find(knob.c_str(),issuercert.c_str());
+ if(issuercert != "")
+ curl_easy_setopt(curl, CURLOPT_ISSUERCERT,issuercert.c_str());
+
// For client authentication, certificate file ...
string pem = _config->Find("Acquire::https::SslCert","");
knob = "Acquire::https::"+remotehost+"::SslCert";
@@ -177,6 +184,13 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
final_version = CURL_SSLVERSION_SSLv3;
curl_easy_setopt(curl, CURLOPT_SSLVERSION, final_version);
+ // CRL file
+ string crlfile = _config->Find("Acquire::https::CrlFile","");
+ knob = "Acquire::https::"+remotehost+"::CrlFile";
+ crlfile = _config->Find(knob.c_str(),crlfile.c_str());
+ if(crlfile != "")
+ curl_easy_setopt(curl, CURLOPT_CRLFILE, crlfile.c_str());
+
// cache-control
if(_config->FindB("Acquire::https::No-Cache",
_config->FindB("Acquire::http::No-Cache",false)) == false)