From 147ac0fc90d972a11f5e91521ba3d385015b5945 Mon Sep 17 00:00:00 2001
From: Julian Andres Klode <jak@debian.org>
Date: Wed, 28 Jun 2017 17:17:37 +0200
Subject: Introduce Acquire::AllowTLS to turn off TLS support

As requested by Henrique de Moraes Holschuh, here comes
an option to disable TLS support. If the option is set
to false, the internal TLS layer is disabled.
---
 doc/apt.conf.5.xml           | 9 +++++++++
 doc/examples/configure-index | 2 ++
 methods/connect.cc           | 3 +++
 3 files changed, 14 insertions(+)

diff --git a/doc/apt.conf.5.xml b/doc/apt.conf.5.xml
index 260c66c46..54ed78c95 100644
--- a/doc/apt.conf.5.xml
+++ b/doc/apt.conf.5.xml
@@ -357,6 +357,15 @@ APT::Compressor::rev {
 	 </para></listitem>
      </varlistentry>
 
+     <varlistentry><term><option>AllowTLS</option></term>
+     <listitem><para>
+     Allow use of the internal TLS support in the http method. If set to false,
+     this completely disables support for TLS in apt's own methods (excluding
+     the curl-based https method). No TLS-related functions will be called
+     anymore.
+     </para></listitem>
+     </varlistentry>
+
      <varlistentry><term><option>PDiffs</option></term>
 	 <listitem><para>Try to download deltas called <literal>PDiffs</literal> for
 	 indexes (like <filename>Packages</filename> files) instead of
diff --git a/doc/examples/configure-index b/doc/examples/configure-index
index aada67bf5..a48d4cb99 100644
--- a/doc/examples/configure-index
+++ b/doc/examples/configure-index
@@ -206,6 +206,8 @@ Acquire
   Source-Symlinks "<BOOL>";
   ForceHash "<STRING>"; // hashmethod used for expected hash: sha256, sha1 or md5sum
 
+  AllowTLS "<BOOL>";    // whether support for tls is enabled
+
   PDiffs "<BOOL>"; // try to get the IndexFile diffs
   PDiffs::FileLimit "<INT>"; // don't use diffs if we would need more than 4 diffs
   PDiffs::SizeLimit "<INT>"; // don't use diffs if size of all patches excess X% of the size of the original file
diff --git a/methods/connect.cc b/methods/connect.cc
index e48008214..0103b5873 100644
--- a/methods/connect.cc
+++ b/methods/connect.cc
@@ -640,6 +640,9 @@ struct TlsFd : public MethodFd
 bool UnwrapTLS(std::string Host, std::unique_ptr<MethodFd> &Fd,
 	       unsigned long Timeout, aptMethod *Owner)
 {
+   if (_config->FindB("Acquire::AllowTLS", true) == false)
+      return _error->Error("TLS support has been disabled: Acquire::AllowTLS is false.");
+
    int err;
    TlsFd *tlsFd = new TlsFd();
 
-- 
cgit v1.2.3