From eea6312729b11f6c80c6cec027bbc475a34bb2d1 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 25 Jul 2008 19:45:46 +0200 Subject: * add doc/examples/apt-https-method-example.cof (thanks to Arnaud Ebalard, closes: #485964) --- doc/examples/apt-https-method-example.conf | 165 +++++++++++++++++++++++++++++ 1 file changed, 165 insertions(+) create mode 100644 doc/examples/apt-https-method-example.conf (limited to 'doc') diff --git a/doc/examples/apt-https-method-example.conf b/doc/examples/apt-https-method-example.conf new file mode 100644 index 000000000..0067171bd --- /dev/null +++ b/doc/examples/apt-https-method-example.conf @@ -0,0 +1,165 @@ +/* This file is a sample configuration for apt https method. Configuration + parameters found in this example file are expected to be used in main + apt.conf file, just like other configuration parameters for different + methods (ftp, file, ...). + + This example file starts with a common setup that voluntarily exhibits + all available configurations knobs with simple comments. Extended + comments on the behavior of the option is provided at the end for + better readibility. As a matter of fact, a common configuration file + will certainly contain far less elements and benefit of default values + for many parameters. + + Because some configuration parameters for apt https method in following + examples apply to specific (fictional) repositories, the associated + sources.list file is provided here: + + ... + + deb https://secure.dom1.tld/debian unstable main contrib non-free + deb-src https://secure.dom1.tld/debian unstable main contrib non-free + + deb https://secure.dom2.tld/debian unstable main contrib non-free + deb-src https://secure.dom2.tld/debian unstable main contrib non-free + + ... + + + Some notes on the servers: + + - secure.dom1.tld is freely accessible using https (no client + authentication is required). + - secure.dom1.tld certificate is part of a multi level PKI, and we + want to specifically check the issuer of its certificate. We do + not have the constraint for secure.dom2.tld + - secure.dom2.tld requires client authentication by certificate + to access its content. + - The certificate presented by both server have (as expected) a CN that + matches their respective DNS names. + - It somtimes happens that we had other more generic https available + repository to our list. We want the checks to be performed against + a common list of anchors (like the one provided by ca-certificates + package for instance) + + The sample configuration below basically covers those simpe needs. +*/ + + +// Verify peer certificate and also matching between certificate name +// and server name as provided in sources.list (default values) +Acquire::https::Verify-Peer "true"; +Acquire::https::Verify-Host "true"; + +// Except otherwise specified, use that list of anchors +Acquire::https::CaInfo "/etc/ssl/certs/ca-certificates.pem"; + +// Use a specific anchor and associated CRL. Enforce issuer of +// server certificate using its cert. +Acquire::https::secure.dom1.tld::CaInfo "/etc/apt/certs/ca-dom1-crt.pem"; + +// Like previous for anchor and CRL, but also provide our +// certificate and keys for client authentication. +Acquire::https::secure.dom2.tld::CaInfo "/etc/apt/certs/ca-dom2-crt.pem"; +Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem"; +Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem"; + +// No need to downgrade, TLS will be proposed by default. Uncomment +// to have SSLv3 proposed. +// Acquire::https::mirror.ipv6.ssi.corp::SslForceVersion "SSLv3"; + +// No need for more debug if every is fine (default). Uncomment +// me to get additional information. +// Debug::Acquire::https "true"; + + +/* + Options with extended comments: + + Acquire::https[::repo.domain.tld]::CaInfo "/path/to/ca/certs.pem"; + + A string providing the path of a file containing the list of trusted + CA certificates used to verify the server certificate. The pointed + file is made of the concatenation of the CA certificates (in + PEM format) creating the chain used for the verification of the path + from the root (self signed one). If the remote server provides the + whole chain during the exchange, the file need only contain the root + certificate. Otherwise, the whole chain is required. + + If you need to support multiple authorities, the only way is to + concatenate everything. + + If None is provided, the default CA bundle used by GnuTLS (apt https + method is linked against libcurl-gnutls) is used. At the time of + writing, /etc/ssl/certs/ca-certificates.crt. + + If no specific hostname is provided, the file is used by default + for all https targets. If a specific mirror is provided, it is + used for the https entries in the sources.list file that use that + repository (with the same name). + + Acquire::https[::repo.domain.tld]::Verify-Peer "true"; + + When authenticating the server, if the certificate verification fails + for some reason (expired, revoked, man in the middle, lack of anchor, + ...), the connection fails. This is obviously what you want in all + cases and what the default value (true) of this option provides. + + If you know EXACTLY what you are doing, setting this option to "false" + allow you to skip peer certificate verification and make the exchange + succeed. Again, this option is for debugging or testing purpose only. + It removes ALL the security provided by the use of SSL.TLS to secure + the HTTP exchanges. + + Acquire::https[::repo.domain.tld]::Verify-Host "true"; + + The certificate provided by the server during the TLS/SSL exchange + provides the identity of the server which should match the DNS name + used to access it. By default, as requested by RFC 2818, the name + of the mirror is checked against the identity found in the + certificate. This default behavior is safe and should not be + changed. If you know that the server you are using has a DNS name + which does not match the identity in its certificate, you can + [report that issue to its administrator or] set the option to + "false", which will prevent the comparison to be done. + + The options can be set globally or on a per-mirror basis. If set + globally, the DNS name used is the one found in the sources.list + file in the https URI. + + Acquire::https[::repo.domain.tld]::SslCert "/path/to/client/cert.pem"; + Acquire::https[::repo.domain.tld]::SslKey "/path/to/client/key.pem"; + + These two options provides support for client authentication using + certificates. They respectively accept the X.509 client certificate + in PEM format and the associated client key in PEM format (non + encrypted form). + + The options can be set globally (which rarely makes sense) or on a + per-mirror basis. + + Acquire::https[::repo.domain.tld]::SslForceVersion "TLSv1"; + + This option can be use to select the version which will be proposed + to the server. "SSLv3" and "TLSv1" are supported. SSLv2, which is + considered insecure anyway is not supported (by gnutls, which is + used by libcurl against which apt https method is linked). + + When the option is set to "SSLv3" to have apt propose SSLv3 (and + associated sets of ciphersuites) instead of TLSv1 (the default) + when performing the exchange. This prevents the server to select + TLSv1 and use associated cipheruites. You should probably not use + this option except if you know exactly what you are doing. + + Note that the default setting does not guarantee that the server + will not select SSLv3 (for ciphersuites and SSL/TLS version as + selectio is always done by the server, in the end). It only means + that apt will not advertise TLS support. + + Debug::Acquire::https "true"; + + This option can be used to show debug information. Because it is + quite verbose, it is mainly useful to debug problems in case of + failure to connect to a server for some reason. The default value + is "false". + +*/ -- cgit v1.2.3 From 06d79436542ccf3e9664306da05ba4c34fba4882 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 31 Jul 2008 14:34:50 +0200 Subject: (thanks to Joey Hess) * document --install-recommends and --no-install-recommends (thanks to Dereck Wonnacott, LP: #126180) --- doc/apt-get.8.xml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'doc') diff --git a/doc/apt-get.8.xml b/doc/apt-get.8.xml index 329a46c51..edb74270b 100644 --- a/doc/apt-get.8.xml +++ b/doc/apt-get.8.xml @@ -313,6 +313,14 @@ Configuration Item: APT::Get::Compile. + + Also install recommended packages. + + + + Do not install recommended packages. + + Ignore package Holds; This causes apt-get to ignore a hold placed on a package. This may be useful in conjunction with -- cgit v1.2.3 From 5aa95c863d9bc5b0de7dd1279d3ad672193cc3a6 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 31 Jul 2008 14:57:38 +0200 Subject: * Apply --important option to apt-cache depends (LP: #16947) --- doc/apt-cache.8.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/apt-cache.8.xml b/doc/apt-cache.8.xml index c1e65332d..c359ac3d8 100644 --- a/doc/apt-cache.8.xml +++ b/doc/apt-cache.8.xml @@ -289,7 +289,7 @@ Reverse Provides: - Print only important dependencies; for use with unmet. Causes only Depends and + Print only important dependencies; for use with unmet and depends. Causes only Depends and Pre-Depends relations to be printed. Configuration Item: APT::Cache::Important. -- cgit v1.2.3 From 496a05c628d39c981a8f472f16629043d8508808 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 6 Aug 2008 13:58:44 +0200 Subject: make "apt-get build-dep" installed packages marked automatic by default. This can be changed by setting the value of APT::Get::Build-Dep-Automatic to false (thanks to Aaron Haviland, closes: #44874, LP: #248268) --- doc/examples/configure-index | 1 + 1 file changed, 1 insertion(+) (limited to 'doc') diff --git a/doc/examples/configure-index b/doc/examples/configure-index index 9c53154da..0bab8e0f8 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -54,6 +54,7 @@ APT Only-Source ""; Diff-Only "false"; Tar-Only "false"; + Build-Dep-Automatic "true"; }; Cache -- cgit v1.2.3 From 7948d3b25d8190c6d2529efa5983199bd22b6440 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 12 Sep 2008 11:42:34 +0200 Subject: * doc/makefile: - add examples/apt-https-method-example.conf --- doc/makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/makefile b/doc/makefile index 8a8a04c03..6ea1c1343 100644 --- a/doc/makefile +++ b/doc/makefile @@ -20,7 +20,7 @@ INCLUDES = apt.ent include $(XML_MANPAGE_H) # Examples -SOURCE = examples/apt.conf examples/sources.list examples/configure-index +SOURCE = examples/apt.conf examples/sources.list examples/configure-index examples/apt-https-method-example.conf TO = $(DOC) TARGET = binary include $(COPY_H) -- cgit v1.2.3 From 668ce84da00041c65cae3957d2b49786efa34276 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 3 Feb 2009 14:10:36 +0100 Subject: * methods/https.cc: - add Acquire::https::AllowRedirect support --- doc/examples/configure-index | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/examples/configure-index b/doc/examples/configure-index index 84b1d8829..a4167085b 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -183,7 +183,8 @@ Acquire Proxy::http.us.debian.org "DIRECT"; // Specific per-host setting Timeout "120"; Pipeline-Depth "5"; - + AllowRedirect "true"; + // Cache Control. Note these do not work with Squid 2.0.2 No-Cache "false"; Max-Age "86400"; // 1 Day age on index files @@ -200,7 +201,8 @@ Acquire Verify-Peer "false"; SslCert "/etc/apt/some.pem"; CaPath "/etc/ssl/certs"; - Verify-Host" "2"; + Verify-Host" "true"; + AllowRedirect "true"; }; ftp -- cgit v1.2.3